gh0strat | 04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164

Analysis

max time kernel
55s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2025, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe
Size

1.2MB
MD5

1c9e0da41c2af4c10e7ab64b1c850eed
SHA1

2cc4f89bbbadf3358fdbb11ff43c9733bcfef3fa
SHA256

04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164
SHA512

2698d6248213ce1f82a63d4dfc64d8dfa67edfbd06300ee6f028ce28902edc5bf8777684a7a8ad20cb519f934595631913b373ceba88e25e8adf13f861a02d19
SSDEEP

24576:HovxCwgMBqHO5ZdYXOp0nQrXctTfK+d+MrTXowFlw57XYBwJtiZ:WIwgMEuy+inDfp3/XoCw57XYBwKZ

Score

10^/10

gh0strat purplefox discovery persistence rat rootkit trojan upx vmprotect

Malware Config

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/2376-27-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/2376-26-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/2000-39-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/2000-40-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/1556-50-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/1556-52-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral2/memory/1556-55-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral2/files/0x0032000000023b5c-17.dat	family_gh0strat
behavioral2/memory/2376-27-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/2376-26-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/2000-39-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/2000-40-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/1556-50-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/1556-52-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat
behavioral2/memory/1556-55-0x0000000010000000-0x00000000101BA000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\QAssist.sys	Ghiya.exe

Server Software Component: Terminal Services DLL 1 TTPs 10 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240628937.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240619796.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240620515.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240623296.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240621546.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240623312.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240628281.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240615937.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240618140.txt"	AK47.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Ö÷¶¯·ÀÓù·þÎñÄ£¿é\Parameters\ServiceDll = "C:\\Windows\\system32\\240620531.txt"	AK47.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	Ghiya.exe

Checks computer location settings 2 TTPs 44 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchcst.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\win.lnk	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe

Executes dropped EXE 64 IoCs

pid	Process
1616	AK47.exe
1180	AK47.exe
2376	AK74.exe
2000	Ghiya.exe
1556	Ghiya.exe
60	svchcst.exe
1996	AK47.exe
3472	AK47.exe
3256	AK74.exe
2196	Ghiya.exe
224	Ghiya.exe
4456	svchcst.exe
3036	AK47.exe
3024	AK47.exe
316	AK74.exe
2412	Ghiya.exe
2708	Ghiya.exe
1560	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
4460	svchcst.exe
1960	AK47.exe
1160	AK47.exe
4828	AK74.exe
868	Ghiya.exe
2000	Ghiya.exe
3768	svchcst.exe
4352	AK47.exe
3236	AK47.exe
4692	AK74.exe
1996	Ghiya.exe
4776	Ghiya.exe
3636	svchcst.exe
3364	AK47.exe
4684	AK47.exe
4440	AK74.exe
2668	Ghiya.exe
776	Ghiya.exe
3004	svchcst.exe
5044	AK47.exe
1092	AK47.exe
4992	AK74.exe
2000	Ghiya.exe
3980	Ghiya.exe
3884	svchcst.exe
5064	AK47.exe
2896	AK47.exe
4776	AK74.exe
2272	Ghiya.exe
3768	Ghiya.exe
1444	svchcst.exe
4308	AK47.exe
2432	AK47.exe
1544	AK74.exe
1432	Ghiya.exe
3984	Ghiya.exe
4368	svchcst.exe
3688	AK47.exe
5084	AK47.exe
3044	AK74.exe
4076	Ghiya.exe
1128	Ghiya.exe
2000	svchcst.exe
3004	AK47.exe
2384	AK47.exe
2308	AK74.exe

Loads dropped DLL 14 IoCs

pid	Process
1616	AK47.exe
5068	svchost.exe
1996	AK47.exe
3024	AK47.exe
1560	Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
1960	AK47.exe
1160	AK47.exe
4352	AK47.exe
4684	AK47.exe
3364	AK47.exe
1092	AK47.exe
2896	AK47.exe
4308	AK47.exe
5084	AK47.exe

VMProtect packed file 32 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3700-0-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/3700-1-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/files/0x000a000000023b63-60.dat	vmprotect
behavioral2/memory/60-105-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4456-146-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4460-197-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/3768-236-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/3636-280-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/3700-281-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/3004-311-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/3884-336-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/1444-371-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4368-402-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2000-425-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/3312-456-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2524-483-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2144-510-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2136-535-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2432-565-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/3600-592-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/116-619-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/1440-643-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/404-674-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/1692-701-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4912-728-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4684-756-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4296-783-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/1672-810-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4144-837-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4832-864-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/2144-890-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect
behavioral2/memory/4308-917-0x0000000000400000-0x0000000000760000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360safo = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchcst.exe"	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe

Drops file in System32 directory 34 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\240621546.txt	AK47.exe
File created	C:\Windows\SysWOW64\240623312.txt	AK47.exe
File created	C:\Windows\SysWOW64\240626562.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\240619796.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\240615937.txt	AK47.exe
File created	C:\Windows\SysWOW64\240623296.txt	AK47.exe
File created	C:\Windows\SysWOW64\240628937.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\240628281.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\Ghiya.exe	AK74.exe
File created	C:\Windows\SysWOW64\240618140.txt	AK47.exe
File created	C:\Windows\SysWOW64\240621546.txt	AK47.exe
File created	C:\Windows\SysWOW64\240626562.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\240628281.txt	AK47.exe
File created	C:\Windows\SysWOW64\240628937.txt	AK47.exe
File created	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe	svchost.exe
File created	C:\Windows\SysWOW64\240618140.txt	AK47.exe
File created	C:\Windows\SysWOW64\240620515.txt	AK47.exe
File created	C:\Windows\SysWOW64\240620531.txt	AK47.exe
File created	C:\Windows\SysWOW64\240615937.txt	AK47.exe
File created	C:\Windows\SysWOW64\240619796.txt	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	AK47.exe
File created	C:\Windows\SysWOW64\240624546.txt	AK47.exe
File created	C:\Windows\SysWOW64\240624546.txt	AK47.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2376-25-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/2376-27-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/2376-26-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/2000-39-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/2000-40-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/2000-37-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/1556-50-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/1556-52-0x0000000010000000-0x00000000101BA000-memory.dmp	upx
behavioral2/memory/1556-55-0x0000000010000000-0x00000000101BA000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
2076	1092	WerFault.exe	143
2144	5044	WerFault.exe	142
3540	5044	WerFault.exe	142
4420	1092	WerFault.exe	143
5072	5064	WerFault.exe	161
4108	2896	WerFault.exe	162
4092	5064	WerFault.exe	161

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ghiya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AK47.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4772	PING.EXE
2564	PING.EXE
4680	PING.EXE
4104	PING.EXE
1692	PING.EXE
1128	cmd.exe
3752	cmd.exe
3996	PING.EXE
3772	cmd.exe
1452	cmd.exe
1128	cmd.exe
2580	cmd.exe
4716	cmd.exe
4524	cmd.exe
2412	cmd.exe
1900	cmd.exe
1452	cmd.exe
3020	cmd.exe
5072	PING.EXE
2844	PING.EXE
2892	PING.EXE
3880	PING.EXE
4420	cmd.exe
1376	cmd.exe
5116	cmd.exe
4800	cmd.exe
1772	PING.EXE
3504	PING.EXE
2368	cmd.exe
2612	cmd.exe
3552	PING.EXE
1320	cmd.exe
2164	PING.EXE
4440	PING.EXE
1868	cmd.exe
4336	cmd.exe
1172	PING.EXE
4908	PING.EXE
4824	PING.EXE
1268	cmd.exe
2668	cmd.exe
3984	cmd.exe
1144	cmd.exe
1460	PING.EXE
3524	cmd.exe
2236	cmd.exe
1996	PING.EXE
532	PING.EXE
3240	cmd.exe
996	cmd.exe
1088	PING.EXE
1564	cmd.exe
1092	PING.EXE
2844	PING.EXE
2988	PING.EXE
4084	PING.EXE
1548	cmd.exe
3620	cmd.exe
1716	PING.EXE
916	cmd.exe
5104	PING.EXE
4208	PING.EXE
2092	PING.EXE
932	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
1472	PING.EXE
2208	PING.EXE
436	PING.EXE
3968	PING.EXE
2272	PING.EXE
868	PING.EXE
716	PING.EXE
3004	PING.EXE
2272	PING.EXE
1996	PING.EXE
532	PING.EXE
3788	PING.EXE
3840	PING.EXE
5104	PING.EXE
2308	PING.EXE
4680	PING.EXE
1856	PING.EXE
4796	PING.EXE
2936	PING.EXE
2272	PING.EXE
4208	PING.EXE
2272	PING.EXE
1672	PING.EXE
2560	PING.EXE
3276	PING.EXE
2844	PING.EXE
2164	PING.EXE
4496	PING.EXE
4104	PING.EXE
1460	PING.EXE
4208	PING.EXE
1464	PING.EXE
2784	PING.EXE
2844	PING.EXE
1692	PING.EXE
4108	PING.EXE
4616	PING.EXE
4084	PING.EXE
3784	PING.EXE
4952	PING.EXE
4336	PING.EXE
2524	PING.EXE
5076	PING.EXE
4804	PING.EXE
756	PING.EXE
2144	PING.EXE
4788	PING.EXE
716	PING.EXE
3996	PING.EXE
2864	PING.EXE
3180	PING.EXE
5096	PING.EXE
2296	PING.EXE
2196	PING.EXE
2564	PING.EXE
2292	PING.EXE
4440	PING.EXE
2888	PING.EXE
1092	PING.EXE
3472	PING.EXE
5096	PING.EXE
1088	PING.EXE
1900	PING.EXE
1336	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe
3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe
3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe
3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe
3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe
3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe
3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe
3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1556	Ghiya.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2376	AK74.exe
Token: SeLoadDriverPrivilege	1556	Ghiya.exe
Token: SeIncBasePriorityPrivilege	3256	AK74.exe
Token: SeIncBasePriorityPrivilege	316	AK74.exe
Token: SeIncBasePriorityPrivilege	4828	AK74.exe
Token: SeIncBasePriorityPrivilege	4692	AK74.exe
Token: SeIncBasePriorityPrivilege	4440	AK74.exe
Token: SeIncBasePriorityPrivilege	4992	AK74.exe
Token: SeIncBasePriorityPrivilege	4776	AK74.exe
Token: SeIncBasePriorityPrivilege	1544	AK74.exe
Token: SeIncBasePriorityPrivilege	3044	AK74.exe
Token: SeIncBasePriorityPrivilege	2308	AK74.exe
Token: SeIncBasePriorityPrivilege	1288	AK74.exe
Token: SeIncBasePriorityPrivilege	2964	AK74.exe
Token: SeIncBasePriorityPrivilege	4964	AK74.exe
Token: SeIncBasePriorityPrivilege	1856	AK74.exe
Token: SeIncBasePriorityPrivilege	4636	AK74.exe
Token: SeIncBasePriorityPrivilege	2076	AK74.exe
Token: SeIncBasePriorityPrivilege	4772	AK74.exe
Token: SeIncBasePriorityPrivilege	3104	AK74.exe
Token: SeIncBasePriorityPrivilege	2612	AK74.exe
Token: SeIncBasePriorityPrivilege	716	AK74.exe
Token: SeIncBasePriorityPrivilege	1424	AK74.exe
Token: SeIncBasePriorityPrivilege	3996	AK74.exe
Token: SeIncBasePriorityPrivilege	2196	AK74.exe
Token: SeIncBasePriorityPrivilege	116	AK74.exe
Token: SeIncBasePriorityPrivilege	1312	AK74.exe
Token: SeIncBasePriorityPrivilege	5072	AK74.exe
Token: SeIncBasePriorityPrivilege	4524	AK74.exe
Token: SeIncBasePriorityPrivilege	4176	AK74.exe
Token: SeIncBasePriorityPrivilege	4764	AK74.exe
Token: SeIncBasePriorityPrivilege	5080	AK74.exe
Token: SeIncBasePriorityPrivilege	2916	AK74.exe
Token: SeIncBasePriorityPrivilege	4712	AK74.exe
Token: SeIncBasePriorityPrivilege	2868	AK74.exe
Token: SeIncBasePriorityPrivilege	916	AK74.exe
Token: SeIncBasePriorityPrivilege	4784	AK74.exe
Token: SeIncBasePriorityPrivilege	5072	AK74.exe
Token: SeIncBasePriorityPrivilege	2292	AK74.exe
Token: SeIncBasePriorityPrivilege	4716	AK74.exe
Token: SeIncBasePriorityPrivilege	3748	AK74.exe
Token: SeIncBasePriorityPrivilege	5056	AK74.exe
Token: SeIncBasePriorityPrivilege	3868	AK74.exe
Token: SeIncBasePriorityPrivilege	4528	AK74.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe
3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe
60	svchcst.exe
60	svchcst.exe
4456	svchcst.exe
4456	svchcst.exe
4460	svchcst.exe
4460	svchcst.exe
3768	svchcst.exe
3768	svchcst.exe
3636	svchcst.exe
3636	svchcst.exe
3004	svchcst.exe
3004	svchcst.exe
3884	svchcst.exe
3884	svchcst.exe
1444	svchcst.exe
1444	svchcst.exe
4368	svchcst.exe
4368	svchcst.exe
2000	svchcst.exe
2000	svchcst.exe
3312	svchcst.exe
3312	svchcst.exe
2524	svchcst.exe
2524	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
2136	svchcst.exe
2136	svchcst.exe
2432	svchcst.exe
2432	svchcst.exe
3600	svchcst.exe
3600	svchcst.exe
116	svchcst.exe
116	svchcst.exe
1440	svchcst.exe
1440	svchcst.exe
404	svchcst.exe
404	svchcst.exe
1692	svchcst.exe
1692	svchcst.exe
4912	svchcst.exe
4912	svchcst.exe
4684	svchcst.exe
4684	svchcst.exe
4296	svchcst.exe
4296	svchcst.exe
1672	svchcst.exe
1672	svchcst.exe
4144	svchcst.exe
4144	svchcst.exe
4832	svchcst.exe
4832	svchcst.exe
2144	svchcst.exe
2144	svchcst.exe
4308	svchcst.exe
4308	svchcst.exe
4896	svchcst.exe
4896	svchcst.exe
2088	svchcst.exe
2088	svchcst.exe
4784	svchcst.exe
4784	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3700 wrote to memory of 1616	3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe	83
PID 3700 wrote to memory of 1616	3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe	83
PID 3700 wrote to memory of 1616	3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe	83
PID 3700 wrote to memory of 1180	3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe	84
PID 3700 wrote to memory of 1180	3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe	84
PID 3700 wrote to memory of 1180	3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe	84
PID 3700 wrote to memory of 2376	3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe	85
PID 3700 wrote to memory of 2376	3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe	85
PID 3700 wrote to memory of 2376	3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe	85
PID 2376 wrote to memory of 3620	2376	AK74.exe	89
PID 2376 wrote to memory of 3620	2376	AK74.exe	89
PID 2376 wrote to memory of 3620	2376	AK74.exe	89
PID 2000 wrote to memory of 1556	2000	Ghiya.exe	90
PID 2000 wrote to memory of 1556	2000	Ghiya.exe	90
PID 2000 wrote to memory of 1556	2000	Ghiya.exe	90
PID 3620 wrote to memory of 2164	3620	cmd.exe	92
PID 3620 wrote to memory of 2164	3620	cmd.exe	92
PID 3620 wrote to memory of 2164	3620	cmd.exe	92
PID 3700 wrote to memory of 1912	3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe	93
PID 3700 wrote to memory of 1912	3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe	93
PID 3700 wrote to memory of 1912	3700	04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe	93
PID 1912 wrote to memory of 60	1912	WScript.exe	95
PID 1912 wrote to memory of 60	1912	WScript.exe	95
PID 1912 wrote to memory of 60	1912	WScript.exe	95
PID 60 wrote to memory of 1996	60	svchcst.exe	127
PID 60 wrote to memory of 1996	60	svchcst.exe	127
PID 60 wrote to memory of 1996	60	svchcst.exe	127
PID 60 wrote to memory of 3472	60	svchcst.exe	97
PID 60 wrote to memory of 3472	60	svchcst.exe	97
PID 60 wrote to memory of 3472	60	svchcst.exe	97
PID 60 wrote to memory of 3256	60	svchcst.exe	130
PID 60 wrote to memory of 3256	60	svchcst.exe	130
PID 60 wrote to memory of 3256	60	svchcst.exe	130
PID 3256 wrote to memory of 2096	3256	AK74.exe	100
PID 3256 wrote to memory of 2096	3256	AK74.exe	100
PID 3256 wrote to memory of 2096	3256	AK74.exe	100
PID 2196 wrote to memory of 224	2196	Ghiya.exe	101
PID 2196 wrote to memory of 224	2196	Ghiya.exe	101
PID 2196 wrote to memory of 224	2196	Ghiya.exe	101
PID 2096 wrote to memory of 1828	2096	cmd.exe	103
PID 2096 wrote to memory of 1828	2096	cmd.exe	103
PID 2096 wrote to memory of 1828	2096	cmd.exe	103
PID 1912 wrote to memory of 4456	1912	WScript.exe	104
PID 1912 wrote to memory of 4456	1912	WScript.exe	104
PID 1912 wrote to memory of 4456	1912	WScript.exe	104
PID 4456 wrote to memory of 3036	4456	svchcst.exe	105
PID 4456 wrote to memory of 3036	4456	svchcst.exe	105
PID 4456 wrote to memory of 3036	4456	svchcst.exe	105
PID 4456 wrote to memory of 3024	4456	svchcst.exe	106
PID 4456 wrote to memory of 3024	4456	svchcst.exe	106
PID 4456 wrote to memory of 3024	4456	svchcst.exe	106
PID 4456 wrote to memory of 316	4456	svchcst.exe	107
PID 4456 wrote to memory of 316	4456	svchcst.exe	107
PID 4456 wrote to memory of 316	4456	svchcst.exe	107
PID 316 wrote to memory of 4804	316	AK74.exe	109
PID 316 wrote to memory of 4804	316	AK74.exe	109
PID 316 wrote to memory of 4804	316	AK74.exe	109
PID 2412 wrote to memory of 2708	2412	Ghiya.exe	110
PID 2412 wrote to memory of 2708	2412	Ghiya.exe	110
PID 2412 wrote to memory of 2708	2412	Ghiya.exe	110
PID 4804 wrote to memory of 4788	4804	cmd.exe	156
PID 4804 wrote to memory of 4788	4804	cmd.exe	156
PID 4804 wrote to memory of 4788	4804	cmd.exe	156
PID 5068 wrote to memory of 1560	5068	svchost.exe	113

C:\Users\Admin\AppData\Local\Temp\04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe
"C:\Users\Admin\AppData\Local\Temp\04e4a41175e5cd0125a1ae9d32a971360db6fc050030823e47679bde52aa8164.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Users\Admin\AppData\Local\Temp\AK47.exe
  "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1616
- C:\Users\Admin\AppData\Local\Temp\AK47.exe
  C:\Users\Admin\AppData\Local\Temp\\AK47.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1180
- C:\Users\Admin\AppData\Local\Temp\AK74.exe
  C:\Users\Admin\AppData\Local\Temp\\AK74.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 2 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2164
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:60
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1828
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4804
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:4788
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4828
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1376
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2272
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3768
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:4352
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:3236
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2292
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3256
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:744
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3636
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:4684
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:3364
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5116
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5104
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:5044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 424
        5⤵
        Program crash
        
        PID:2144
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 432
        5⤵
        Program crash
        
        PID:3540
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:1092
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 420
        5⤵
        Program crash
        
        PID:2076
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 444
        5⤵
        Program crash
        
        PID:4420
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1856
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:5064
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 348
        5⤵
        Program crash
        
        PID:5072
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 352
        5⤵
        Program crash
        
        PID:4092
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 420
        5⤵
        Program crash
        
        PID:4108
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4800
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4496
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:4308
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4892
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1172
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4368
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:3688
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:5084
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1092
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1376
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      Executes dropped EXE
      PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      Executes dropped EXE
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3240
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:684
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:3312
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1464
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:5096
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2580
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:868
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1716
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3996
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2236
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:2296
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3240
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3528
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2272
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:4336
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:3600
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4900
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4716
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:716
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:116
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:3904
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4776
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2560
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4696
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2988
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:404
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1160
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3184
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3276
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2088
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4772
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:636
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4896
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2292
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:4684
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4496
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2308
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:932
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2196
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4716
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4440
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:116
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3504
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:4144
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3004
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4104
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:4832
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1568
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:2144
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3992
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2524
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:4308
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1696
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4176
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2368
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3996
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2964
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:916
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2272
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1364
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4136
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2668
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2144
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    PID:4784
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3808
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3984
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1996
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:3536
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4448
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:832
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4712
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:228
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4616
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4524
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1476
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3364
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:4716
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4384
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2936
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2988
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:2412
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3848
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4024
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:996
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4208
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3916
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:228
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1432
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:4924
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:436
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:116
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1144
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:716
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:3440
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4176
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3620
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1088
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2196
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    PID:3276
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4972
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:5080
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1472
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:8
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:444
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Location Discovery: System Language Discovery
        Runs ping.exe
        
        PID:2888
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4496
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4024
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4084
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4080
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4520
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4796
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3860
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3616
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1100
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:532
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:5040
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4788
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2356
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4612
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3848
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2612
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2564
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2076
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3180
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2148
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1144
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4952
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4424
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2368
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2092
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:744
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4448
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4208
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3768
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:932
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1692
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:844
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4692
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:5040
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4440
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3692
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2936
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4812
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:404
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1088
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3516
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4656
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4164
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3404
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2208
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1320
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4972
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4420
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:636
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2272
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3744
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4964
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2300
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4944
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:5076
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1832
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1564
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1996
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3244
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1008
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1252
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5072
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1180
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1868
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1092
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4352
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3256
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4372
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4496
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1772
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3552
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2008
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2612
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2068
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3992
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:5104
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4664
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1724
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3472
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3268
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4764
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1320
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1464
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4464
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2784
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3252
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3744
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4784
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:688
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2420
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1128
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3004
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3204
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4828
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3220
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3784
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4936
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4524
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3276
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1716
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:460
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:224
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:716
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3808
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4908
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3788
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2412
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:436
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4472
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4108
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4208
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4104
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1900
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:832
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1460
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3528
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:5056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2844
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4804
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3840
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3880
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3588
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1452
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3552
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4956
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3524
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1672
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4520
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2168
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1088
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1900
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3244
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3748
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2844
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4452
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4336
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1336
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2088
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1792
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:444
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2272
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2896
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4080
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4956
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4900
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4772
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4932
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3540
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1460
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:684
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1472
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:5080
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3268
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4420
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1548
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4972
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3180
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3408
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:224
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1336
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:2888
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:64
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3572
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1452
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4824
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4448
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4704
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1996
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2316
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3332
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1252
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3268
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3860
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4236
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4972
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4680
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4692
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2064
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3788
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1452
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:5096
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2036
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4932
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:4240
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1128
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:832
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:232
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4420
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:756
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:716
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:192
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2912
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1732
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1772
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3884
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3772
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3968
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4956
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3384
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:1992
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4904
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4600
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4828
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1320
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1460
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2204
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:232
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1268
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:3600
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3168
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:4236
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3008
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3776
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2892
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1208
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:916
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:1772
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1828
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:1192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3020
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1172
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:3616
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:2996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3752
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4696
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3768
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:3756
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        
        PID:4920
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:2204
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4296
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4564
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2844
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:3672
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:3372
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:8
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:3180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:4960
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:2864
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      "C:\Users\Admin\AppData\Local\Temp\AK47.exe"
      4⤵
      PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\AK47.exe
      C:\Users\Admin\AppData\Local\Temp\\AK47.exe
      4⤵
      PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\AK74.exe
      C:\Users\Admin\AppData\Local\Temp\\AK74.exe
      4⤵
      PID:4052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\AK74.exe > nul
        5⤵
        
        PID:2896
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3840

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
PID:1260

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "Ö÷¶¯·ÀÓù·þÎñÄ£¿é"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe
  C:\Windows\system32\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe "c:\windows\system32\240615937.txt",MainThread
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1560

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:1556

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:224

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:2708

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
PID:868
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:2000

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
PID:1996
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:4776

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
PID:2668
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1092 -ip 1092
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5044 -ip 5044
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5044 -ip 5044
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1092 -ip 1092
1⤵
PID:1704

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5064 -ip 5064
1⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2896 -ip 2896
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5064 -ip 5064
1⤵
PID:1132

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2272
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:3768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:744

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
PID:1432
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:3984

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- Executes dropped EXE
PID:4076
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:1128

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:1692
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1132

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2460
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4296

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:1704
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1088

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:4232
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:932

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2096
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3088

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4144
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4796

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2132
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1692

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4912
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:5116

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:776
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4684

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:1868
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2076

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1000
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1856

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4800
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2376

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv +q8oOrhjNEuvgBYpSJZPcg.0.2
1⤵
PID:1440

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:392
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4236

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3784
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2144

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3088
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1424

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:3020
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3996

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:684
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2572

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:436
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2308

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2784
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:440

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2376

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2508
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4572

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:1740
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4788

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2008
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3848

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1972
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4764

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2476
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4300

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:4336
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4944

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1996
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4936

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4616
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:5056

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4432
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2416

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2988
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2936

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1260
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:996

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3616
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2236

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
- System Location Discovery: System Language Discovery
PID:5040
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4952

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2936
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4772

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:232
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4920

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1620
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:5092

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:436
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4248

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2524
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1488

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:224
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4144

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1624
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4560

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3256
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3772

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4900
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1396

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:392
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3528

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1948
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4352

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4908
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3924

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:180
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4240

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4520
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3536

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3408
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4384

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:64
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4924

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:688
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2524

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4936
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:832

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4524
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4896

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1312
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2888

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4596
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4824

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1564
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4448

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4432
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4136

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1180
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3728

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4308
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3968

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2828
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3612

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4704
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4232

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:232
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2908

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2948
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1424

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2460
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1452

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2936
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:5052

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1996
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3784

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1396
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4296

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4708
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4788

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4372
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4440

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1816
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4900

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4240
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4764

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4420
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4236

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:224
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2956

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:64
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4440

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1816
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3812

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1444
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4936

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4236
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4408

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4908
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4464

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1164
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4024

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4472
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3648

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:228
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4560

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4408
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3600

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4660
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2096

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4824
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4224

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4084
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4704

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4548
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2148

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4964
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2956

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2300
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4944

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4892
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:416

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3980
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4432

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3768
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1072

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:1968
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:216

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3848
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3588

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2456
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3992

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:996
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:3772

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:636
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:2252

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:3808
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:1568

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:4336
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4692

C:\Windows\SysWOW64\Ghiya.exe
C:\Windows\SysWOW64\Ghiya.exe -auto
1⤵
PID:2612
- C:\Windows\SysWOW64\Ghiya.exe
  C:\Windows\SysWOW64\Ghiya.exe -acsi
  2⤵
  PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AK47.exe

Filesize
91KB

MD5
423eb994ed553294f8a6813619b8da87

SHA1
eca6a16ccd13adcfc27bc1041ddef97ec8081255

SHA256
050b4f2d5ae8eaecd414318dc8e222a56f169626da6ca8feb7edd78e8b1f0218

SHA512
fab0a9af8031c242c486de373df7277c8b0e39f7a0c9c2ac2e385dbd3ea67be16e91b128287634f76131e5264149ab1b452cd21df4c4895e8c4efc8d8cf99095

Download Submit
C:\Users\Admin\AppData\Local\Temp\AK74.exe

Filesize
400KB

MD5
b0998aa7d5071d33daa5b60b9c3c9735

SHA1
9365a1ff0c6de244d6f36c8d84072cc916665d3c

SHA256
3080b6bb456564899b0d99d4131bd6a0b284d31f7d80ef773e4872d94048d49a

SHA512
308c13cda9fea39b980ae686f44afd9090e9cb8970fffc4436320e0d09a31aee5e656914e0121fe888098a14c52749716fa04980396fd6ac70a88c11cbb6b850

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
29ce53e2a4a446614ccc8d64d346bde4

SHA1
39a7aa5cc1124842aa0c25abb16ea94452125cbe

SHA256
56225be6838bc6e93ea215891eacf28844ae27a9f8b2b29bf19d3a8c2b1f58df

SHA512
b2c5a2708c427171a5715801f8ea733ffe88d73aaaaf59c5c752ea32cbe7aae8526cc26eabe84ad5043174c0c69b1d6b15a9fb125c15accfac3462d5d08a0faa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
91599bcc3fcb49e532ff56e2c3e7d23d

SHA1
2a5f8e3212035fbda31ea330c32bc74b999171b6

SHA256
a6a63e5d9f22c00fadafacdbdd6d9bfc17963412fcabfe3c55f48e15d5dc89cc

SHA512
a89b8d80d13b377cc3d74e22ce30611d40c2849dc4df973a294757c849c786a308300dee0cad8f3897985a5ff1fa340ad0855762972bbba60d6b3aa292ce2f81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.2MB

MD5
a643440f8339b1b18de9d7423423c246

SHA1
3e152a3cfef66d3b7f4d1ae3a6a38ebe06756a2b

SHA256
00c8f26a8ef9f8032e144b442f89c493c58d55733b674e0a873961d93ddda684

SHA512
3213aae281f56199b47836191f5e6b9095f419f4f2796706133d6d4b766c844fc1d7d3a0414cb1bbc0294d01f490aad6d9895d06e1f1772b6ccb36960c8a6a36

Download Submit
C:\Windows\SysWOW64\240615937.txt

Filesize
49KB

MD5
02b71c7c79f7cd102d18d55120b752d2

SHA1
78d1953ca6abfd6c94d31f4d49d79be89b2a7faf

SHA256
f940dba10a60b0262c7d77ae7904e9115a5e6cf0053fadc86368f9c70afabc46

SHA512
56d360eb3c1e4d9a2a09f83840389183995e3e4e83b3daa984001b8a8318137b4a4fcf5b22224fa2a6cbd50f49353c448278cabeebff98dfe43f55ba4c692102

Download Submit
C:\Windows\SysWOW64\ini.ini

Filesize
45B

MD5
9d10eec6cd18ff706c0772fe547a6142

SHA1
ff85444d16908b70a3000567f4ce6d1b6fa97388

SHA256
401317bb25614ddaf74f9adcb04953da8ba34978df6cb78b3fe936d460e2a917

SHA512
d52796fc67406bc3eff780e9af92ecce3569669603cdb8f86e749213001bb06da42228462bcffe42b01ca1cbc9b3e1f31cf48e4aac89e1999287fb98986f90a0

Download Submit
C:\Windows\SysWOW64\Ö÷¶¯·ÀÓù·þÎñÄ£¿é.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/60-105-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/116-619-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/404-674-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1440-643-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1444-371-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1556-52-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/1556-50-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/1556-55-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/1672-810-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/1692-701-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2000-37-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2000-40-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2000-39-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2000-425-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2136-535-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2144-890-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2144-510-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2376-25-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2376-27-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2376-26-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/2432-565-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/2524-483-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3004-311-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3312-456-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3600-592-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3636-280-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3700-281-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3700-1-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3700-0-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3768-236-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/3884-336-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4144-837-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4296-783-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4308-917-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4368-402-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4456-146-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4460-197-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4684-756-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4832-864-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download
memory/4912-728-0x0000000000400000-0x0000000000760000-memory.dmp

Filesize
3.4MB

Download