Analysis
-
max time kernel
106s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 19:47
Behavioral task
behavioral1
Sample
77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe
Resource
win7-20240903-en
General
-
Target
77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe
-
Size
1.2MB
-
MD5
8b27862c705f26387e854acb9c718365
-
SHA1
d282df079a708dc1a81df2ec3ac6c89482f75d37
-
SHA256
77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423
-
SHA512
e90154b5b6edb47112b96084cb7a9dfc4551d4f011b5bea49d6e92eea825ea7de3dac6b0b223f1e2bbaed335a94a0160a4457944f5dbda003ca8234178aecdb8
-
SSDEEP
24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtik:WIwgMEuy+inDfp3/XoCw57XYBwKk
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2448-23-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/2448-24-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/2612-49-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/2612-53-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/2612-57-0x0000000010000000-0x00000000101BA000-memory.dmp purplefox_rootkit behavioral1/memory/2488-70-0x0000000005D90000-0x00000000060F0000-memory.dmp purplefox_rootkit behavioral1/memory/2488-339-0x0000000005D90000-0x00000000060F0000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 7 IoCs
resource yara_rule behavioral1/files/0x000700000001925e-14.dat family_gh0strat behavioral1/memory/2448-23-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2448-24-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2612-49-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2612-53-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2612-57-0x0000000010000000-0x00000000101BA000-memory.dmp family_gh0strat behavioral1/memory/2488-339-0x0000000005D90000-0x00000000060F0000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Ghiya.exe -
Server Software Component: Terminal Services DLL 1 TTPs 21 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259445293.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259446744.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259447992.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259449443.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259451097.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259452938.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259452953.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259455371.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259448023.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259448694.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259450161.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259452080.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259456104.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259457508.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259458179.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259450192.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259453983.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259455449.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259448663.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259453967.txt" AK47.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\259454810.txt" AK47.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Ghiya.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe -
Executes dropped EXE 64 IoCs
pid Process 2304 AK47.exe 2896 AK47.exe 2448 AK74.exe 2680 Ghiya.exe 2612 Ghiya.exe 2268 svchcst.exe 1748 AK47.exe 1960 AK47.exe 1496 AK74.exe 1788 Ghiya.exe 2816 Ghiya.exe 2952 svchcst.exe 1796 AK47.exe 1180 AK47.exe 2796 AK74.exe 1220 Ghiya.exe 1976 Ghiya.exe 2156 svchcst.exe 2000 AK47.exe 584 AK47.exe 2904 AK74.exe 2304 Ghiya.exe 2636 Ghiya.exe 2848 svchcst.exe 2684 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe 2752 AK47.exe 1792 AK47.exe 2932 AK74.exe 2004 Ghiya.exe 2244 Ghiya.exe 872 svchcst.exe 2808 AK47.exe 2804 AK47.exe 2384 AK74.exe 3024 Ghiya.exe 2508 Ghiya.exe 2556 svchcst.exe 940 AK47.exe 1180 AK47.exe 3016 AK74.exe 1728 Ghiya.exe 2072 Ghiya.exe 1672 svchcst.exe 840 AK47.exe 2152 AK47.exe 1508 AK74.exe 2916 Ghiya.exe 592 Ghiya.exe 2840 svchcst.exe 340 AK47.exe 2512 AK47.exe 2544 AK74.exe 2660 Ghiya.exe 2236 Ghiya.exe 2216 svchcst.exe 2716 AK47.exe 2696 AK47.exe 2388 AK74.exe 1840 Ghiya.exe 2816 Ghiya.exe 2908 svchcst.exe 1284 AK47.exe 1796 AK47.exe 1180 AK74.exe -
Loads dropped DLL 64 IoCs
pid Process 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 2896 AK47.exe 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 2316 svchost.exe 2680 Ghiya.exe 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 2488 WScript.exe 2268 svchcst.exe 2268 svchcst.exe 1748 AK47.exe 1960 AK47.exe 2268 svchcst.exe 1788 Ghiya.exe 2952 svchcst.exe 2952 svchcst.exe 1796 AK47.exe 1180 AK47.exe 2952 svchcst.exe 1220 Ghiya.exe 2156 svchcst.exe 2156 svchcst.exe 2000 AK47.exe 584 AK47.exe 2156 svchcst.exe 2304 Ghiya.exe 2316 svchost.exe 2848 svchcst.exe 2848 svchcst.exe 2684 Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe 2752 AK47.exe 1792 AK47.exe 2848 svchcst.exe 2004 Ghiya.exe 872 svchcst.exe 872 svchcst.exe 2804 AK47.exe 872 svchcst.exe 2808 AK47.exe 3024 Ghiya.exe 2556 svchcst.exe 2556 svchcst.exe 940 AK47.exe 2556 svchcst.exe 1728 Ghiya.exe 1672 svchcst.exe 1672 svchcst.exe 840 AK47.exe 1672 svchcst.exe 2916 Ghiya.exe 2840 svchcst.exe 2840 svchcst.exe 340 AK47.exe 2512 AK47.exe 2840 svchcst.exe 2660 Ghiya.exe 2216 svchcst.exe 2216 svchcst.exe 2716 AK47.exe 2696 AK47.exe 2216 svchcst.exe 1840 Ghiya.exe 2908 svchcst.exe -
resource yara_rule behavioral1/memory/2232-0-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2232-1-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/files/0x00070000000193e1-61.dat vmprotect behavioral1/memory/2268-71-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2268-112-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2952-118-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2952-161-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2156-209-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2848-212-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2848-240-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/872-245-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/872-273-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2556-279-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2232-278-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2556-303-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/1672-310-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/1672-334-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2840-340-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2840-367-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2216-397-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2908-427-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2300-435-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2300-461-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/1880-491-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/1736-517-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/1204-549-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2828-579-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/108-599-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/1776-604-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/1776-624-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/1528-648-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2760-653-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2760-673-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2380-697-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/888-702-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/888-722-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2720-746-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2264-751-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2264-771-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2500-777-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2500-797-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2696-821-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/408-846-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2372-851-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect behavioral1/memory/2372-871-0x0000000000400000-0x0000000000760000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe" 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe -
Drops file in System32 directory 57 IoCs
description ioc Process File created C:\Windows\SysWOW64\259445293.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259450192.txt AK47.exe File created C:\Windows\SysWOW64\259455449.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259452080.txt AK47.exe File created C:\Windows\SysWOW64\259452080.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259454825.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259448023.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259452938.txt AK47.exe File created C:\Windows\SysWOW64\259458164.txt AK47.exe File created C:\Windows\SysWOW64\259445293.txt AK47.exe File created C:\Windows\SysWOW64\259450161.txt AK47.exe File created C:\Windows\SysWOW64\259451097.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\259447992.txt AK47.exe File created C:\Windows\SysWOW64\259449443.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File opened for modification C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe svchost.exe File created C:\Windows\SysWOW64\259446682.txt AK47.exe File created C:\Windows\SysWOW64\259446744.txt AK47.exe File created C:\Windows\SysWOW64\259458179.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File opened for modification C:\Windows\SysWOW64\Ghiya.exe AK74.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259451097.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259456682.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259457508.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259449428.txt AK47.exe File created C:\Windows\SysWOW64\259454810.txt AK47.exe File created C:\Windows\SysWOW64\259456104.txt AK47.exe File created C:\Windows\SysWOW64\259456682.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259452953.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\Ghiya.exe AK74.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259453967.txt AK47.exe File created C:\Windows\SysWOW64\259453983.txt AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File opened for modification C:\Windows\SysWOW64\ini.ini AK47.exe File created C:\Windows\SysWOW64\259457508.txt AK47.exe File created C:\Windows\SysWOW64\259448663.txt AK47.exe File created C:\Windows\SysWOW64\259448694.txt AK47.exe File created C:\Windows\SysWOW64\259455371.txt AK47.exe File created C:\Windows\SysWOW64\259456089.txt AK47.exe -
resource yara_rule behavioral1/memory/2448-23-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2448-24-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2448-21-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2612-49-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2612-53-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2612-57-0x0000000010000000-0x00000000101BA000-memory.dmp upx behavioral1/memory/2488-339-0x0000000005D90000-0x00000000060F0000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchcst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK74.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AK47.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2496 cmd.exe 1232 cmd.exe 2152 Process not Found 1232 Process not Found 1632 cmd.exe 1044 cmd.exe 2576 PING.EXE 2644 PING.EXE 996 cmd.exe 1484 Process not Found 1648 Process not Found 1888 Process not Found 632 cmd.exe 3016 PING.EXE 816 Process not Found 1740 Process not Found 2496 Process not Found 3004 PING.EXE 2104 PING.EXE 592 PING.EXE 1796 PING.EXE 2192 cmd.exe 1184 Process not Found 1584 cmd.exe 2700 PING.EXE 1496 Process not Found 2244 Process not Found 3064 cmd.exe 2688 PING.EXE 1796 cmd.exe 2824 cmd.exe 1936 PING.EXE 3004 cmd.exe 2192 cmd.exe 2708 PING.EXE 1588 PING.EXE 316 Process not Found 3032 PING.EXE 2220 PING.EXE 1356 cmd.exe 1204 cmd.exe 1960 cmd.exe 1880 PING.EXE 2620 cmd.exe 1208 Process not Found 2568 cmd.exe 2376 PING.EXE 756 Process not Found 328 Process not Found 2608 Process not Found 788 Process not Found 3032 Process not Found 316 Process not Found 888 cmd.exe 1100 Process not Found 2760 Process not Found 2528 Process not Found 2880 Process not Found 2672 cmd.exe 2268 cmd.exe 2668 PING.EXE 2248 PING.EXE 1916 PING.EXE 2748 cmd.exe -
Runs ping.exe 1 TTPs 64 IoCs
pid Process 2128 PING.EXE 1976 PING.EXE 2180 Process not Found 1784 Process not Found 940 Process not Found 2104 PING.EXE 3032 PING.EXE 2880 PING.EXE 2352 PING.EXE 932 Process not Found 2528 Process not Found 2448 PING.EXE 3064 PING.EXE 2672 PING.EXE 2792 PING.EXE 904 PING.EXE 2780 PING.EXE 2384 Process not Found 2700 Process not Found 3052 PING.EXE 632 PING.EXE 1528 PING.EXE 2508 PING.EXE 2700 PING.EXE 2708 PING.EXE 3056 PING.EXE 2880 Process not Found 972 Process not Found 2604 PING.EXE 648 PING.EXE 1408 PING.EXE 2180 PING.EXE 2512 PING.EXE 1480 Process not Found 3040 Process not Found 1680 Process not Found 2176 PING.EXE 3016 PING.EXE 2500 Process not Found 1996 PING.EXE 2076 PING.EXE 3068 Process not Found 1960 Process not Found 1740 Process not Found 848 Process not Found 1356 Process not Found 2912 PING.EXE 3004 PING.EXE 2688 PING.EXE 2248 PING.EXE 2976 Process not Found 3032 Process not Found 2228 Process not Found 2704 Process not Found 2380 PING.EXE 1704 PING.EXE 1560 PING.EXE 1844 PING.EXE 1060 Process not Found 2304 Process not Found 2888 PING.EXE 2956 PING.EXE 1732 PING.EXE 2668 PING.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2488 WScript.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2612 Ghiya.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2448 AK74.exe Token: SeLoadDriverPrivilege 2612 Ghiya.exe Token: SeIncBasePriorityPrivilege 1496 AK74.exe Token: SeIncBasePriorityPrivilege 2796 AK74.exe Token: SeIncBasePriorityPrivilege 2904 AK74.exe Token: SeIncBasePriorityPrivilege 2932 AK74.exe Token: SeIncBasePriorityPrivilege 2384 AK74.exe Token: SeIncBasePriorityPrivilege 3016 AK74.exe Token: SeIncBasePriorityPrivilege 1508 AK74.exe Token: SeIncBasePriorityPrivilege 2544 AK74.exe Token: SeIncBasePriorityPrivilege 2388 AK74.exe Token: SeIncBasePriorityPrivilege 1180 AK74.exe Token: SeIncBasePriorityPrivilege 2112 AK74.exe Token: SeIncBasePriorityPrivilege 2128 AK74.exe Token: SeIncBasePriorityPrivilege 1740 AK74.exe Token: SeIncBasePriorityPrivilege 2820 AK74.exe Token: SeIncBasePriorityPrivilege 348 AK74.exe Token: SeIncBasePriorityPrivilege 2960 AK74.exe Token: SeIncBasePriorityPrivilege 2772 AK74.exe Token: SeIncBasePriorityPrivilege 1000 AK74.exe Token: SeIncBasePriorityPrivilege 3040 AK74.exe Token: SeIncBasePriorityPrivilege 2956 AK74.exe Token: SeIncBasePriorityPrivilege 108 AK74.exe Token: SeIncBasePriorityPrivilege 1776 AK74.exe Token: SeIncBasePriorityPrivilege 2800 AK74.exe Token: SeIncBasePriorityPrivilege 2440 AK74.exe Token: SeIncBasePriorityPrivilege 640 AK74.exe Token: SeIncBasePriorityPrivilege 1892 AK74.exe Token: SeIncBasePriorityPrivilege 1884 AK74.exe Token: SeIncBasePriorityPrivilege 1396 AK74.exe Token: SeIncBasePriorityPrivilege 1944 AK74.exe Token: SeIncBasePriorityPrivilege 2696 AK74.exe Token: SeIncBasePriorityPrivilege 2224 AK74.exe Token: SeIncBasePriorityPrivilege 1884 AK74.exe Token: SeIncBasePriorityPrivilege 2512 AK74.exe Token: SeIncBasePriorityPrivilege 708 AK74.exe Token: SeIncBasePriorityPrivilege 1852 AK74.exe Token: SeIncBasePriorityPrivilege 832 AK74.exe Token: SeIncBasePriorityPrivilege 2564 AK74.exe Token: SeIncBasePriorityPrivilege 1708 AK74.exe Token: SeIncBasePriorityPrivilege 708 AK74.exe Token: SeIncBasePriorityPrivilege 2600 AK74.exe Token: SeIncBasePriorityPrivilege 1880 AK74.exe Token: SeIncBasePriorityPrivilege 540 AK74.exe Token: SeIncBasePriorityPrivilege 1984 AK74.exe Token: SeIncBasePriorityPrivilege 708 AK74.exe Token: SeIncBasePriorityPrivilege 2600 AK74.exe Token: SeIncBasePriorityPrivilege 1484 AK74.exe Token: SeIncBasePriorityPrivilege 2916 AK74.exe Token: SeIncBasePriorityPrivilege 2780 AK74.exe Token: SeIncBasePriorityPrivilege 560 AK74.exe Token: SeIncBasePriorityPrivilege 856 AK74.exe Token: SeIncBasePriorityPrivilege 2236 AK74.exe Token: SeIncBasePriorityPrivilege 1204 AK74.exe Token: SeIncBasePriorityPrivilege 2780 AK74.exe Token: SeIncBasePriorityPrivilege 2800 AK74.exe Token: SeIncBasePriorityPrivilege 2640 AK74.exe Token: SeIncBasePriorityPrivilege 2972 AK74.exe Token: SeIncBasePriorityPrivilege 2880 AK74.exe Token: SeIncBasePriorityPrivilege 2808 AK74.exe Token: SeIncBasePriorityPrivilege 2604 AK74.exe Token: SeIncBasePriorityPrivilege 2832 AK74.exe Token: SeIncBasePriorityPrivilege 2124 AK74.exe Token: SeIncBasePriorityPrivilege 2900 AK74.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 2268 svchcst.exe 2268 svchcst.exe 2952 svchcst.exe 2952 svchcst.exe 2156 svchcst.exe 2156 svchcst.exe 2848 svchcst.exe 2848 svchcst.exe 872 svchcst.exe 872 svchcst.exe 2556 svchcst.exe 2556 svchcst.exe 1672 svchcst.exe 1672 svchcst.exe 2840 svchcst.exe 2840 svchcst.exe 2216 svchcst.exe 2216 svchcst.exe 2908 svchcst.exe 2908 svchcst.exe 2300 svchcst.exe 2300 svchcst.exe 1880 svchcst.exe 1880 svchcst.exe 1736 svchcst.exe 1736 svchcst.exe 1204 svchcst.exe 1204 svchcst.exe 2828 svchcst.exe 2828 svchcst.exe 108 svchcst.exe 108 svchcst.exe 1776 svchcst.exe 1776 svchcst.exe 1528 svchcst.exe 1528 svchcst.exe 2760 svchcst.exe 2760 svchcst.exe 2380 svchcst.exe 2380 svchcst.exe 888 svchcst.exe 888 svchcst.exe 2720 svchcst.exe 2720 svchcst.exe 2264 svchcst.exe 2264 svchcst.exe 2500 svchcst.exe 2500 svchcst.exe 2696 svchcst.exe 2696 svchcst.exe 408 svchcst.exe 408 svchcst.exe 2372 svchcst.exe 2372 svchcst.exe 2976 svchcst.exe 2976 svchcst.exe 708 svchcst.exe 708 svchcst.exe 2380 svchcst.exe 2380 svchcst.exe 3068 svchcst.exe 3068 svchcst.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2896 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 31 PID 2232 wrote to memory of 2896 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 31 PID 2232 wrote to memory of 2896 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 31 PID 2232 wrote to memory of 2896 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 31 PID 2232 wrote to memory of 2304 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 32 PID 2232 wrote to memory of 2304 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 32 PID 2232 wrote to memory of 2304 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 32 PID 2232 wrote to memory of 2304 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 32 PID 2232 wrote to memory of 2448 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 33 PID 2232 wrote to memory of 2448 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 33 PID 2232 wrote to memory of 2448 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 33 PID 2232 wrote to memory of 2448 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 33 PID 2232 wrote to memory of 2448 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 33 PID 2232 wrote to memory of 2448 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 33 PID 2232 wrote to memory of 2448 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 33 PID 2448 wrote to memory of 2640 2448 AK74.exe 37 PID 2448 wrote to memory of 2640 2448 AK74.exe 37 PID 2448 wrote to memory of 2640 2448 AK74.exe 37 PID 2448 wrote to memory of 2640 2448 AK74.exe 37 PID 2680 wrote to memory of 2612 2680 Ghiya.exe 38 PID 2680 wrote to memory of 2612 2680 Ghiya.exe 38 PID 2680 wrote to memory of 2612 2680 Ghiya.exe 38 PID 2680 wrote to memory of 2612 2680 Ghiya.exe 38 PID 2680 wrote to memory of 2612 2680 Ghiya.exe 38 PID 2680 wrote to memory of 2612 2680 Ghiya.exe 38 PID 2680 wrote to memory of 2612 2680 Ghiya.exe 38 PID 2640 wrote to memory of 2600 2640 cmd.exe 40 PID 2640 wrote to memory of 2600 2640 cmd.exe 40 PID 2640 wrote to memory of 2600 2640 cmd.exe 40 PID 2640 wrote to memory of 2600 2640 cmd.exe 40 PID 2232 wrote to memory of 2488 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 41 PID 2232 wrote to memory of 2488 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 41 PID 2232 wrote to memory of 2488 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 41 PID 2232 wrote to memory of 2488 2232 77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe 41 PID 2488 wrote to memory of 2268 2488 WScript.exe 43 PID 2488 wrote to memory of 2268 2488 WScript.exe 43 PID 2488 wrote to memory of 2268 2488 WScript.exe 43 PID 2488 wrote to memory of 2268 2488 WScript.exe 43 PID 2268 wrote to memory of 1748 2268 svchcst.exe 44 PID 2268 wrote to memory of 1748 2268 svchcst.exe 44 PID 2268 wrote to memory of 1748 2268 svchcst.exe 44 PID 2268 wrote to memory of 1748 2268 svchcst.exe 44 PID 2268 wrote to memory of 1960 2268 svchcst.exe 45 PID 2268 wrote to memory of 1960 2268 svchcst.exe 45 PID 2268 wrote to memory of 1960 2268 svchcst.exe 45 PID 2268 wrote to memory of 1960 2268 svchcst.exe 45 PID 2268 wrote to memory of 1496 2268 svchcst.exe 46 PID 2268 wrote to memory of 1496 2268 svchcst.exe 46 PID 2268 wrote to memory of 1496 2268 svchcst.exe 46 PID 2268 wrote to memory of 1496 2268 svchcst.exe 46 PID 2268 wrote to memory of 1496 2268 svchcst.exe 46 PID 2268 wrote to memory of 1496 2268 svchcst.exe 46 PID 2268 wrote to memory of 1496 2268 svchcst.exe 46 PID 1496 wrote to memory of 1932 1496 AK74.exe 48 PID 1496 wrote to memory of 1932 1496 AK74.exe 48 PID 1496 wrote to memory of 1932 1496 AK74.exe 48 PID 1496 wrote to memory of 1932 1496 AK74.exe 48 PID 1788 wrote to memory of 2816 1788 Ghiya.exe 50 PID 1788 wrote to memory of 2816 1788 Ghiya.exe 50 PID 1788 wrote to memory of 2816 1788 Ghiya.exe 50 PID 1788 wrote to memory of 2816 1788 Ghiya.exe 50 PID 1788 wrote to memory of 2816 1788 Ghiya.exe 50 PID 1788 wrote to memory of 2816 1788 Ghiya.exe 50 PID 1788 wrote to memory of 2816 1788 Ghiya.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe"C:\Users\Admin\AppData\Local\Temp\77c959e96ec69c684f202425cf7e46915269a0c43e68ff500d32521f53a40423.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2304
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul3⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵PID:2600
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"2⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1748
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1960
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1932
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1448
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1180
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1796
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2204
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:2176
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2000
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:584
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2784
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2716
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1792
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1984
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1896
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:872 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2804
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3032
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2556 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:940
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1180
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:632 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1572
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:840
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2152
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1628
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2692
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2840 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:340
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2512
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:816
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2220
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:956
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2376
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Drops file in System32 directory
PID:1284
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1796
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1180 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1632 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:3064
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
PID:1644
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3052
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1000
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Drops file in System32 directory
PID:1572
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2984
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2840
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Drops file in System32 directory
PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Drops file in System32 directory
PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2696
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2380
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Drops file in System32 directory
PID:2004
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1440
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:640
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
PID:924
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- Drops file in System32 directory
PID:1532
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:348 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:892
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2112
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:108 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1484
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2960 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3064
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2492
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1416
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2780
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1692
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2604
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1044
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2264
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1584 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2984
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2816
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1216
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1532
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1220
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:856
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1700
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1552
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:888 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1448
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1632
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:300
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:648
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2420
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2680
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2700
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1792
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2672
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2384
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
PID:344
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2124
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1660
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2988
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2044
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1504
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1220
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2428
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:408 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:292
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2772
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2716
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2912
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2816
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2820
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1044 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:3040
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:708 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2588
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:992
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1956
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3016
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1864
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:348
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1580
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2900
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1620
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1416
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2660
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2968
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2784
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2672 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3004
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2392
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2780
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2112
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:912
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1100
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1184
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2220
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2956
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2700
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2244
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1852 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2824 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:592
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1956
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2548
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1500
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:3052
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2040
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1792
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1840
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2816
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2916
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2904
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1888
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1732
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2788
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1916
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2588
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2376
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:856
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2380
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1660
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:1408
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1956
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2428
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1480
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1704
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1936
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:540 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2268
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2512
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1040
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2180
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:940
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2692
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1184
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2728
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2912
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1960
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:920
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2952
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:888
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1892
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1996
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2832
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:632
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2668
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2824
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1284
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1796
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1708
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1932
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2492
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2392
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2908
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:568
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2124
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2204
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1512
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3040
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2104
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:3068
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1552
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2652
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2156
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2040
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:2636
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1440
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:632
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1896
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1980
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1416
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3064 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:492
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1864
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:560
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2568 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2576
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:884
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:856
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:612
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1520
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2336
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1492
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2680
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2960
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1204
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2968
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1416
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2672
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1216
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1796
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2408
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2556
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:3004
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1852
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2128
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2380
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2692
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2700
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1360
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:2372
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1524
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:3032
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2596
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2856
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2376
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:620
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2900 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1356 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:968
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1924
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:756
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1612
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1560
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1512
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1732
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2032
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2372
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1536
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2576
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1540
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1736
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2420
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3012
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2760
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2220
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2440
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1740
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2880
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2840
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1728
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1700
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2512
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2792
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:756
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1408
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:632
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2156
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1204 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2448
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1896
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2560
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2176
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2244
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1936
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2556
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:292
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3044
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2940
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2952
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:612
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1184
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2692
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:3068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2712
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1644
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:620
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1984
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2496 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2916
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:340
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2284
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2680
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:992
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2268 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1584
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2792
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1360
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1396
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:300
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2388
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2408
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1560
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:648
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2688
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1492
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2032
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:924
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1520
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1580
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1736
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1672
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2616
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1740
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:1844
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:784
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1708
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2820
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2144
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2736
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:492
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2800
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2792
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1960 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1416
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2560
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2912
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2604
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2064
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1936
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1528
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:584
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2568
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1932
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2952
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1700
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:832
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:3052
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2004
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:3056
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1616
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1720
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1480
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1520
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1628
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2920
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1796 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2724
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2600
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1884
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2520
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2196
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2588
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2248
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2732
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2132
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2528
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:3012
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2508
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2636
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2548
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2192
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1588
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2076
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1044
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3064
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:900
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:344
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1356
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:932
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2288
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2644
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1880
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2440
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2500
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:348
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3004 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2700
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2072
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:492
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2752
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1916
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:584
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:2772
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1960
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
PID:2568
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1932
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:920
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2688
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2228
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:936
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:1708
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:620
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1660
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2712
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:108
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2748
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1448
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2600
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2620 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2120
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1636
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:1872
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1852
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1796
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1880
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2284
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2192 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2564
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2736
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:992
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1316
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1932
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:852
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1044
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1784
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵
- System Location Discovery: System Language Discovery
PID:2760
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
PID:832 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:780
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2520
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:884
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:3016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2748 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1892
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:540
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1356
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1556
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1552
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1704
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2124
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2896
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2596
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2848
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1060
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2544
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2880
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2296
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2128
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:3056
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1916
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2636
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1184
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:620
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2300
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:932
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1908
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1360
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1724
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2040
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2828
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:348
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2768
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1580
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1872
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2800
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:888
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2260
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1892
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:1976
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1040
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1284
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2984
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2880
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2212
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2204
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1776
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:872
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:3064
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:996
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2952
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1732
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:816
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2580
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
PID:884
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2220
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2176
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1844
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:620
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2708
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1184
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:612
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:888 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:904
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:288
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1232
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2292
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1268
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2644
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1868
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1196
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2848
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2588
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:3056
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1748
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1892
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1464
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2952
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2984
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1540
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:996
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2520
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2000
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1588
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1408
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:108
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:344
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2192 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2180
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:540
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2836
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2988
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1232 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:2516
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2840
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2256
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:1552
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2212
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2512
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2608
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:888
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2236
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2508
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵PID:1916
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:1484
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:2244
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1888
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:996 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2352
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2660
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1800
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1572
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:1736
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- System Location Discovery: System Language Discovery
- Runs ping.exe
PID:2780
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:972
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:1632
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:1960
-
-
C:\Users\Admin\AppData\Local\Temp\AK74.exeC:\Users\Admin\AppData\Local\Temp\\AK74.exe4⤵PID:2560
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul5⤵PID:2836
-
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.16⤵
- Runs ping.exe
PID:2888
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"3⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\AK47.exe"C:\Users\Admin\AppData\Local\Temp\AK47.exe"4⤵PID:540
-
-
C:\Users\Admin\AppData\Local\Temp\AK47.exeC:\Users\Admin\AppData\Local\Temp\\AK47.exe4⤵PID:2044
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵PID:1980
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"1⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exeC:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\259445293.txt",MainThread2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:2816
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1220 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:1976
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:2636
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:2244
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:2508
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:2072
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:592
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:2236
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵
- Executes dropped EXE
PID:2816
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:784
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2588
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1500
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1484
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2512
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2544
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2700
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2284
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1524
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:788
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:956
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2132
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1572
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2548
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1980
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:540
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2808
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:816
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2216
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1748
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:780
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2928
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1548
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1620
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1884
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2752
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1356
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2080
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:492
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2600
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3000
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2540
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1984
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1528
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2112
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2176
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1260
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2608
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2824
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2088
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2049823799-1505696493-53748095098122523-78446575-944739707-2412976668580647"1⤵PID:2828
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:584
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1552
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "143171316921171818131983367343-1156304263-313039593-600723985-1626324752-1802368601"1⤵PID:1220
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2508
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2792
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2976
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1888
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1644
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2152
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2064946207-2755243151524619164819125664-17519239546581245211985272909626508147"1⤵PID:2608
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:108
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1660
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:336
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2720
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2772
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3048
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1085742630-7947659361639869636640538718-1079635764-1732848256-14601394781925345463"1⤵PID:1220
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1924
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2776
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1100
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1644
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1892
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2044
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1992
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2652
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1724
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2628
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2138028957-192881351868047585-393412711754689319-1206623033246558971-817290662"1⤵PID:3048
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2672
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2784
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-10068950561076636551149473973-513100357-300969906475594087350940910-1054740787"1⤵PID:1840
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2124
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2528
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:348
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2044
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1992
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2828
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1245103670-1090603380-168551685515356126494771596382137739631-316082638-1633218655"1⤵PID:592
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:340
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1440
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2672
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2784
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2080
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2544
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2044
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1508
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1776
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1548
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2296
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2984
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2180
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "154549102849100508168625706-1568897211-84278372-1453654823-13734543621432230575"1⤵PID:2588
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2132
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2736
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1184
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:292
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2096324681-451704995-444059111-19590691018460028992146339430-1550352868-1005472843"1⤵PID:1484
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1528
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2040
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2668
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1356
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2828
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1916
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2132
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2224
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:568
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1736
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-3459388711047397107-21211561121637565832704202856357210582-1797098596-684152091"1⤵PID:2492
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2796
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:924
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1480
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2192
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2932
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1260
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2640
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2928
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:780
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-10849880771687819666-1414339795-1611885711-19021765125970662081953213693-594319864"1⤵PID:1776
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1840
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3000
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "327762888-2053617418825612033-615753617-114072859816134913631862922432083713978"1⤵PID:2916
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3052
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2496
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3016
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2268
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2088
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2648
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2528
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1748
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-61104068-11740053664735120416684750611515230080245188487-1489896198-1309242272"1⤵PID:2128
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2236
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2776
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3056
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1144
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1532
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2344
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1260
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2588
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2204
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2796
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1888
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:612
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1316
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1980
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1531929011-11805843731130236022-345145429-1189772675-519586210668203480-875516054"1⤵PID:2180
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3016
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2728
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1556
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2448
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3012
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3068
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1276
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:788
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1572431636-11418872981898000233-1982994076-970184534-1146947102-3930565441851557602"1⤵PID:1672
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:344
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1592
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2932
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2824
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-609165618495746001005109719-2155321461613151858-876033771-120196929828816967"1⤵PID:2916
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2620
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1556
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1748
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2524
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1736
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2924
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2808
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1784
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "53630692654995377616531816551368526133-372521822-1587871680251599876-2114862767"1⤵PID:340
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3016
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2040
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1221933013-159080860920769742001475435079-436705662-1819614666-16492651551033128611"1⤵PID:1984
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵
- System Location Discovery: System Language Discovery
PID:1396 -
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2896
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1204
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1748
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2660
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1736
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2236
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1628
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-6391464282072199488293546916-7726196271193124781-690064945-12377429351300171093"1⤵PID:2220
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1700
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2176
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2492
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1556
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2724
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1656
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2996
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1888
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1916
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3052
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1848490845-565249756-1753596383910356699-1729627823318282382829567827-1807203439"1⤵PID:2044
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:932
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2352
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "9845881961038659916544230792797685554-2130932744975029077-1853588539-1067114888"1⤵PID:2920
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2688
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1584
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-4810131775654618058344345211325466210-18849316741116310911228447303-727882887"1⤵PID:2496
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1636
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2712
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1460745005-146357207252371389-1224133729-751318957258142303-363391954-669963330"1⤵PID:2268
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1880
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2120
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "450235691-19147301997820136251949295019-2103958551-1708784801144041760-1473078332"1⤵PID:1396
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2640
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2968
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1707967390992054402-14699444321354024057-243553460-1189753361-152035906700101914"1⤵PID:1736
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1784
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2568
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-75825126121428351582055946166719708725-737727393-1683789438-1227590387-1943154590"1⤵PID:612
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1260
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2500
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "193670364-733836796-8929234847201234493861812571718879646-2098476753-1064376381"1⤵PID:1980
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2924
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1960
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2064
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2524
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "83323012-123939422705036719-1782991820-749253192091577123516822742-62259386"1⤵PID:1644
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1552
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2972
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:560
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1936
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:992
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1908
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2037021965-1531876281-1390733096-120092314512252359351305406814-1381655624-1540215805"1⤵PID:1700
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:3032
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:780
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "3917712942024965035-8654859581619475230-942975909-327352935229986962-1434306915"1⤵PID:1480
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2304
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2720
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:892
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1100
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2640
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:352
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-177373391931786463-20220421691905111977-1358661749-10152203201186241646-439403275"1⤵PID:1616
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2636
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1144
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1141902809350249241-2051021292-3307099061965428659-286403947975836111176780"1⤵PID:2568
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1800
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1448
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2580
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2560
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:2552
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1680
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-989340147-348019016185339721894602549719387250411322510377-17523573854331360"1⤵PID:1040
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:776
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:3004
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1748
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:924
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1624
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:1924
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1944
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:2984
-
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -auto1⤵PID:1844
-
C:\Windows\SysWOW64\Ghiya.exeC:\Windows\SysWOW64\Ghiya.exe -acsi2⤵PID:592
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
400KB
MD5b0998aa7d5071d33daa5b60b9c3c9735
SHA19365a1ff0c6de244d6f36c8d84072cc916665d3c
SHA2563080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a
SHA512308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850
-
Filesize
92B
MD529ce53e2a4a446614ccc8d64d346bde4
SHA139a7aa5cc1124842aa0c25abb16ea94452125cbe
SHA25656225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df
SHA512b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa
-
Filesize
753B
MD53717c7c07a4dbbe779608cb5fe2e86aa
SHA1e7e7498e90533d9f0166870338f3aac12a9d3182
SHA2566b6b0af78879eb60013cebc430fda76e1fbcce1783227fb602d3326c4625d76d
SHA512a3e31057bb4134817d53fa629bc94eabc81a3de55438703d0224ffb2ccd18962064a7f6e95699d8d904ac0be18c86ac66cec196bb017f34aa8e37f9c80f4b041
-
Filesize
45B
MD594bb582d6a810c22b79e441eab495609
SHA1a39748eeb4010f8579246cb955d706a575010753
SHA2569b6fdeb6b96474f53ee5be2cd903df5a9912c531ab3d3d7679a1b4a88c366fd0
SHA51222520eee9ea87a9215e3169066f3cd185288a5655b21b793783b685af3f7e59a5b21eb7bf5a72392a155b830ac6df54604f89262a86d76b23386a0f40bc08820
-
Filesize
91KB
MD5423eb994ed553294f8a6813619b8da87
SHA1eca6a16ccd13adcfc27bc1041ddef97ec8081255
SHA256050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218
SHA512fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095
-
Filesize
1.2MB
MD5e12339d0ac2209baba7f0ca8379f454d
SHA1b2f124798d2e64cfea3ba98a9aa751d4909f9432
SHA2563f97e1197c435f33f764cb7059265df8e3be662e57a1acfdca639520187f1666
SHA5126f6d1c5584dfec9e91fff5c32c6bdafa0479199aa791360deca71ffcbd004d6228bd7c54e27e9a4b6295a0e6eb2229e88c9504d8dc02f9188b3881fccafd5d41
-
Filesize
49KB
MD5cd67fda88fdfaf602e6001485e947582
SHA1f61048bff546607e4777a27b004bb84f51418b3b
SHA256201e1237f3d7cd1fd296f89fec3b9e0e0744cbcff2686f9e45deae61e8047d51
SHA51297009b7df2bceecf0992071d43f3e0be15ab79cbb75546bd8e6651529032e3f7503890522e3438b6364a924d0459a250c2cf5e6e0525ecaabbe89de47115866a