ardamax | 440696d0079d2137a5c1236279c2b2298167051c27a59325fddf0f4f56f7b1b2

Analysis

max time kernel
36s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-02-2025 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ae06a4d1e5342c6ace7587b0de04d4df.exe
Size

1.8MB
MD5

ae06a4d1e5342c6ace7587b0de04d4df
SHA1

fb25a9016f23a64285808a7ce6eeee6ac5a280da
SHA256

440696d0079d2137a5c1236279c2b2298167051c27a59325fddf0f4f56f7b1b2
SHA512

3758212e9ff2db500a521ecdeae86a15269ec557bd2a752477a9054db0ef79d2b46241f07217ae7e4313af2a11f1cac148cd779efc22964a9ce47620dbe46c04
SSDEEP

24576:5o1dv2igD/Ro9r/wgR+j++SMT3UAubmitrZVx4tKCXfC2b7t4uc+UxaqukBWQg:5NmJ/1TtsUAqz4VK2P2Q4aqHfg

Score

10^/10

ardamax discovery keylogger persistence stealer themida

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 2 IoCs

resource	yara_rule
behavioral1/files/0x00060000000173fb-31.dat	family_ardamax
behavioral1/files/0x000600000001748f-64.dat	family_ardamax

Executes dropped EXE 64 IoCs

pid	Process
2472	KeyHack.exe
2904	HSGA.exe
2908	KeyHack.exe
2620	HSGA.exe
2684	KeyHack.exe
2864	HSGA.exe
1272	KeyHack.exe
2884	HSGA.exe
1960	KeyHack.exe
1864	HSGA.exe
1372	KeyHack.exe
1980	HSGA.exe
1608	KeyHack.exe
2268	HSGA.exe
1672	KeyHack.exe
2220	HSGA.exe
1392	KeyHack.exe
1384	HSGA.exe
960	KeyHack.exe
2516	HSGA.exe
1788	KeyHack.exe
1224	HSGA.exe
1764	KeyHack.exe
1576	HSGA.exe
1712	KeyHack.exe
2068	HSGA.exe
2820	KeyHack.exe
1588	HSGA.exe
2240	KeyHack.exe
2796	HSGA.exe
2672	KeyHack.exe
1796	HSGA.exe
2772	KeyHack.exe
2460	HSGA.exe
2340	KeyHack.exe
2156	HSGA.exe
2728	KeyHack.exe
2980	HSGA.exe
3036	KeyHack.exe
2836	HSGA.exe
1808	KeyHack.exe
1832	HSGA.exe
1232	KeyHack.exe
2552	HSGA.exe
2140	KeyHack.exe
2144	HSGA.exe
724	KeyHack.exe
1760	HSGA.exe
2268	KeyHack.exe
1756	HSGA.exe
1692	KeyHack.exe
2468	HSGA.exe
1700	KeyHack.exe
2272	HSGA.exe
2360	KeyHack.exe
896	HSGA.exe
1768	KeyHack.exe
3068	HSGA.exe
1600	KeyHack.exe
2408	HSGA.exe
2068	KeyHack.exe
2700	HSGA.exe
2912	KeyHack.exe
2872	HSGA.exe

Loads dropped DLL 64 IoCs

pid	Process
2156	JaffaCakes118_ae06a4d1e5342c6ace7587b0de04d4df.exe
2156	JaffaCakes118_ae06a4d1e5342c6ace7587b0de04d4df.exe
2472	KeyHack.exe
2472	KeyHack.exe
2472	KeyHack.exe
2472	KeyHack.exe
2908	KeyHack.exe
2908	KeyHack.exe
2908	KeyHack.exe
2908	KeyHack.exe
2684	KeyHack.exe
2684	KeyHack.exe
2904	HSGA.exe
2684	KeyHack.exe
2684	KeyHack.exe
2864	HSGA.exe
2904	HSGA.exe
2712	NOTEPAD.EXE
2712	NOTEPAD.EXE
2684	KeyHack.exe
2684	KeyHack.exe
1272	KeyHack.exe
1272	KeyHack.exe
1272	KeyHack.exe
2884	HSGA.exe
2884	HSGA.exe
1272	KeyHack.exe
1272	KeyHack.exe
1272	KeyHack.exe
1960	KeyHack.exe
1960	KeyHack.exe
1960	KeyHack.exe
1864	HSGA.exe
1864	HSGA.exe
1960	KeyHack.exe
1960	KeyHack.exe
1960	KeyHack.exe
1372	KeyHack.exe
1372	KeyHack.exe
1372	KeyHack.exe
1980	HSGA.exe
1980	HSGA.exe
1372	KeyHack.exe
1372	KeyHack.exe
1372	KeyHack.exe
1608	KeyHack.exe
1608	KeyHack.exe
1608	KeyHack.exe
1608	KeyHack.exe
2268	HSGA.exe
2268	HSGA.exe
1672	KeyHack.exe
1672	KeyHack.exe
1672	KeyHack.exe
2220	HSGA.exe
2220	HSGA.exe
1672	KeyHack.exe
1672	KeyHack.exe
1672	KeyHack.exe
1392	KeyHack.exe
1392	KeyHack.exe
1392	KeyHack.exe
1384	HSGA.exe
1392	KeyHack.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2156-25-0x0000000000400000-0x0000000000525000-memory.dmp	themida

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HSGA Agent = "C:\\Windows\\SysWOW64\\28463\\HSGA.exe"	HSGA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\HSGA.006	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.001	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.001	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.001	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.001	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.006	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.007	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463	HSGA.exe
File created	C:\Windows\SysWOW64\28463\HSGA.007	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.006	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.001	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.007	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.007	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.007	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.001	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.006	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463	HSGA.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.007	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.007	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.006	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.007	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.006	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.006	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.007	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.006	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.001	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463	HSGA.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.001	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.001	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.007	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.006	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.001	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.006	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.001	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.001	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.007	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.006	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.exe	KeyHack.exe
File created	C:\Windows\SysWOW64\28463\HSGA.006	KeyHack.exe
File opened for modification	C:\Windows\SysWOW64\28463\HSGA.001	KeyHack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KeyHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSGA.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2712	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2904	HSGA.exe
Token: SeIncBasePriorityPrivilege	2904	HSGA.exe
Token: 33	2884	HSGA.exe
Token: SeIncBasePriorityPrivilege	2884	HSGA.exe
Token: 33	1864	HSGA.exe
Token: SeIncBasePriorityPrivilege	1864	HSGA.exe
Token: 33	1980	HSGA.exe
Token: SeIncBasePriorityPrivilege	1980	HSGA.exe
Token: 33	2268	HSGA.exe
Token: SeIncBasePriorityPrivilege	2268	HSGA.exe
Token: 33	2220	HSGA.exe
Token: SeIncBasePriorityPrivilege	2220	HSGA.exe
Token: 33	1384	HSGA.exe
Token: SeIncBasePriorityPrivilege	1384	HSGA.exe
Token: 33	2516	HSGA.exe
Token: SeIncBasePriorityPrivilege	2516	HSGA.exe
Token: 33	1224	HSGA.exe
Token: SeIncBasePriorityPrivilege	1224	HSGA.exe
Token: 33	1576	HSGA.exe
Token: SeIncBasePriorityPrivilege	1576	HSGA.exe
Token: 33	2068	HSGA.exe
Token: SeIncBasePriorityPrivilege	2068	HSGA.exe
Token: 33	1588	HSGA.exe
Token: SeIncBasePriorityPrivilege	1588	HSGA.exe
Token: 33	2796	HSGA.exe
Token: SeIncBasePriorityPrivilege	2796	HSGA.exe
Token: 33	1796	HSGA.exe
Token: SeIncBasePriorityPrivilege	1796	HSGA.exe
Token: 33	2460	HSGA.exe
Token: SeIncBasePriorityPrivilege	2460	HSGA.exe
Token: 33	2156	HSGA.exe
Token: SeIncBasePriorityPrivilege	2156	HSGA.exe
Token: 33	2980	HSGA.exe
Token: SeIncBasePriorityPrivilege	2980	HSGA.exe
Token: 33	2836	HSGA.exe
Token: SeIncBasePriorityPrivilege	2836	HSGA.exe
Token: 33	1832	HSGA.exe
Token: SeIncBasePriorityPrivilege	1832	HSGA.exe
Token: 33	2552	HSGA.exe
Token: SeIncBasePriorityPrivilege	2552	HSGA.exe
Token: 33	2144	HSGA.exe
Token: SeIncBasePriorityPrivilege	2144	HSGA.exe
Token: 33	1760	HSGA.exe
Token: SeIncBasePriorityPrivilege	1760	HSGA.exe
Token: 33	1756	HSGA.exe
Token: SeIncBasePriorityPrivilege	1756	HSGA.exe
Token: 33	2468	HSGA.exe
Token: SeIncBasePriorityPrivilege	2468	HSGA.exe
Token: 33	2272	HSGA.exe
Token: SeIncBasePriorityPrivilege	2272	HSGA.exe
Token: 33	896	HSGA.exe
Token: SeIncBasePriorityPrivilege	896	HSGA.exe
Token: 33	3068	HSGA.exe
Token: SeIncBasePriorityPrivilege	3068	HSGA.exe
Token: 33	2408	HSGA.exe
Token: SeIncBasePriorityPrivilege	2408	HSGA.exe
Token: 33	2700	HSGA.exe
Token: SeIncBasePriorityPrivilege	2700	HSGA.exe
Token: 33	2872	HSGA.exe
Token: SeIncBasePriorityPrivilege	2872	HSGA.exe
Token: 33	2228	HSGA.exe
Token: SeIncBasePriorityPrivilege	2228	HSGA.exe
Token: 33	2136	HSGA.exe
Token: SeIncBasePriorityPrivilege	2136	HSGA.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2156	JaffaCakes118_ae06a4d1e5342c6ace7587b0de04d4df.exe
2904	HSGA.exe
2904	HSGA.exe
2904	HSGA.exe
2904	HSGA.exe
2904	HSGA.exe
2884	HSGA.exe
2884	HSGA.exe
2884	HSGA.exe
2884	HSGA.exe
2884	HSGA.exe
1864	HSGA.exe
1864	HSGA.exe
1864	HSGA.exe
1864	HSGA.exe
1864	HSGA.exe
1980	HSGA.exe
1980	HSGA.exe
1980	HSGA.exe
1980	HSGA.exe
1980	HSGA.exe
2268	HSGA.exe
2268	HSGA.exe
2268	HSGA.exe
2268	HSGA.exe
2268	HSGA.exe
2220	HSGA.exe
2220	HSGA.exe
2220	HSGA.exe
2220	HSGA.exe
2220	HSGA.exe
1384	HSGA.exe
1384	HSGA.exe
1384	HSGA.exe
1384	HSGA.exe
1384	HSGA.exe
2516	HSGA.exe
2516	HSGA.exe
2516	HSGA.exe
2516	HSGA.exe
2516	HSGA.exe
1224	HSGA.exe
1224	HSGA.exe
1224	HSGA.exe
1224	HSGA.exe
1224	HSGA.exe
1576	HSGA.exe
1576	HSGA.exe
1576	HSGA.exe
1576	HSGA.exe
1576	HSGA.exe
2068	HSGA.exe
2068	HSGA.exe
2068	HSGA.exe
2068	HSGA.exe
2068	HSGA.exe
1588	HSGA.exe
1588	HSGA.exe
1588	HSGA.exe
1588	HSGA.exe
1588	HSGA.exe
2796	HSGA.exe
2796	HSGA.exe
2796	HSGA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2472	2156	JaffaCakes118_ae06a4d1e5342c6ace7587b0de04d4df.exe	30
PID 2156 wrote to memory of 2472	2156	JaffaCakes118_ae06a4d1e5342c6ace7587b0de04d4df.exe	30
PID 2156 wrote to memory of 2472	2156	JaffaCakes118_ae06a4d1e5342c6ace7587b0de04d4df.exe	30
PID 2156 wrote to memory of 2472	2156	JaffaCakes118_ae06a4d1e5342c6ace7587b0de04d4df.exe	30
PID 2156 wrote to memory of 2712	2156	JaffaCakes118_ae06a4d1e5342c6ace7587b0de04d4df.exe	31
PID 2156 wrote to memory of 2712	2156	JaffaCakes118_ae06a4d1e5342c6ace7587b0de04d4df.exe	31
PID 2156 wrote to memory of 2712	2156	JaffaCakes118_ae06a4d1e5342c6ace7587b0de04d4df.exe	31
PID 2156 wrote to memory of 2712	2156	JaffaCakes118_ae06a4d1e5342c6ace7587b0de04d4df.exe	31
PID 2472 wrote to memory of 2904	2472	KeyHack.exe	32
PID 2472 wrote to memory of 2904	2472	KeyHack.exe	32
PID 2472 wrote to memory of 2904	2472	KeyHack.exe	32
PID 2472 wrote to memory of 2904	2472	KeyHack.exe	32
PID 2472 wrote to memory of 2908	2472	KeyHack.exe	33
PID 2472 wrote to memory of 2908	2472	KeyHack.exe	33
PID 2472 wrote to memory of 2908	2472	KeyHack.exe	33
PID 2472 wrote to memory of 2908	2472	KeyHack.exe	33
PID 2908 wrote to memory of 2620	2908	KeyHack.exe	34
PID 2908 wrote to memory of 2620	2908	KeyHack.exe	34
PID 2908 wrote to memory of 2620	2908	KeyHack.exe	34
PID 2908 wrote to memory of 2620	2908	KeyHack.exe	34
PID 2908 wrote to memory of 2684	2908	KeyHack.exe	35
PID 2908 wrote to memory of 2684	2908	KeyHack.exe	35
PID 2908 wrote to memory of 2684	2908	KeyHack.exe	35
PID 2908 wrote to memory of 2684	2908	KeyHack.exe	35
PID 2684 wrote to memory of 2864	2684	KeyHack.exe	36
PID 2684 wrote to memory of 2864	2684	KeyHack.exe	36
PID 2684 wrote to memory of 2864	2684	KeyHack.exe	36
PID 2684 wrote to memory of 2864	2684	KeyHack.exe	36
PID 2684 wrote to memory of 1272	2684	KeyHack.exe	37
PID 2684 wrote to memory of 1272	2684	KeyHack.exe	37
PID 2684 wrote to memory of 1272	2684	KeyHack.exe	37
PID 2684 wrote to memory of 1272	2684	KeyHack.exe	37
PID 1272 wrote to memory of 2884	1272	KeyHack.exe	38
PID 1272 wrote to memory of 2884	1272	KeyHack.exe	38
PID 1272 wrote to memory of 2884	1272	KeyHack.exe	38
PID 1272 wrote to memory of 2884	1272	KeyHack.exe	38
PID 1272 wrote to memory of 1960	1272	KeyHack.exe	39
PID 1272 wrote to memory of 1960	1272	KeyHack.exe	39
PID 1272 wrote to memory of 1960	1272	KeyHack.exe	39
PID 1272 wrote to memory of 1960	1272	KeyHack.exe	39
PID 1960 wrote to memory of 1864	1960	KeyHack.exe	40
PID 1960 wrote to memory of 1864	1960	KeyHack.exe	40
PID 1960 wrote to memory of 1864	1960	KeyHack.exe	40
PID 1960 wrote to memory of 1864	1960	KeyHack.exe	40
PID 1960 wrote to memory of 1372	1960	KeyHack.exe	41
PID 1960 wrote to memory of 1372	1960	KeyHack.exe	41
PID 1960 wrote to memory of 1372	1960	KeyHack.exe	41
PID 1960 wrote to memory of 1372	1960	KeyHack.exe	41
PID 1372 wrote to memory of 1980	1372	KeyHack.exe	42
PID 1372 wrote to memory of 1980	1372	KeyHack.exe	42
PID 1372 wrote to memory of 1980	1372	KeyHack.exe	42
PID 1372 wrote to memory of 1980	1372	KeyHack.exe	42
PID 1372 wrote to memory of 1608	1372	KeyHack.exe	43
PID 1372 wrote to memory of 1608	1372	KeyHack.exe	43
PID 1372 wrote to memory of 1608	1372	KeyHack.exe	43
PID 1372 wrote to memory of 1608	1372	KeyHack.exe	43
PID 1608 wrote to memory of 2268	1608	KeyHack.exe	44
PID 1608 wrote to memory of 2268	1608	KeyHack.exe	44
PID 1608 wrote to memory of 2268	1608	KeyHack.exe	44
PID 1608 wrote to memory of 2268	1608	KeyHack.exe	44
PID 1608 wrote to memory of 1672	1608	KeyHack.exe	45
PID 1608 wrote to memory of 1672	1608	KeyHack.exe	45
PID 1608 wrote to memory of 1672	1608	KeyHack.exe	45
PID 1608 wrote to memory of 1672	1608	KeyHack.exe	45

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ae06a4d1e5342c6ace7587b0de04d4df.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ae06a4d1e5342c6ace7587b0de04d4df.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
  "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\28463\HSGA.exe
    "C:\Windows\system32\28463\HSGA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2904
- - C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
    "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\28463\HSGA.exe
      "C:\Windows\system32\28463\HSGA.exe"
      4⤵
      Executes dropped EXE
      PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
      "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2864
    - - C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1272
      - C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2884
      - C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1672
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1392
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        11⤵
        Executes dropped EXE
        
        PID:960
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        12⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        14⤵
        Executes dropped EXE
        
        PID:1712
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        15⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        16⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        17⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        18⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        21⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1808
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        23⤵
        Executes dropped EXE
        
        PID:1232
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        24⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        25⤵
        Executes dropped EXE
        
        PID:724
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        27⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        28⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        29⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        30⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        30⤵
        Executes dropped EXE
        
        PID:1768
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        31⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        31⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        32⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        33⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        33⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        34⤵
        Drops file in System32 directory
        
        PID:2656
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        35⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        35⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        36⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        36⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        37⤵
        Adds Run key to start application
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        37⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        38⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        38⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        39⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        39⤵
        
        PID:600
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        40⤵
        Adds Run key to start application
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        40⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        41⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        41⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        42⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        42⤵
        Drops file in System32 directory
        
        PID:724
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        43⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        43⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        44⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        44⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        45⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        45⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        46⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:2172
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        47⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        47⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        48⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        48⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        49⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        49⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        50⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        50⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        51⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        51⤵
        
        PID:548
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        52⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        52⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        53⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        54⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        54⤵
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        55⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        55⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        56⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        56⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        57⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        57⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        58⤵
        Adds Run key to start application
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        58⤵
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        59⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        60⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        60⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        61⤵
        Adds Run key to start application
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        61⤵
        
        PID:552
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        62⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        62⤵
        Drops file in System32 directory
        
        PID:580
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        63⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        63⤵
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        64⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        64⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        65⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        65⤵
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        66⤵
        Adds Run key to start application
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        66⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        67⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        67⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        68⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        68⤵
        
        PID:548
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        69⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        69⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        70⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        71⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        71⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        72⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        72⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        73⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        73⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        74⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        74⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        75⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        75⤵
        
        PID:448
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        77⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        77⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        78⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        78⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        79⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        79⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        80⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        80⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        81⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        81⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        82⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        82⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        83⤵
        Adds Run key to start application
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        83⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        84⤵
        Adds Run key to start application
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        84⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        85⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        85⤵
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        86⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        86⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        87⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        87⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        88⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        88⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        89⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        89⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        90⤵
        Adds Run key to start application
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        90⤵
        
        PID:596
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        91⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        91⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        92⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        92⤵
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        93⤵
        Adds Run key to start application
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        93⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        94⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        94⤵
        
        PID:960
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        95⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        95⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        96⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        96⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        97⤵
        Adds Run key to start application
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        97⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        98⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        98⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        99⤵
        Adds Run key to start application
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        99⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        100⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        100⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        101⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        101⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        102⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        102⤵
        
        PID:804
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        103⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        103⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        104⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        105⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        105⤵
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        106⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        107⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        107⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        108⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        108⤵
        
        PID:996
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        109⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        110⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        110⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        111⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        111⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        112⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        112⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        113⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        113⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        114⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        114⤵
        
        PID:552
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        115⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        115⤵
        Drops file in System32 directory
        
        PID:1172
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        116⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        116⤵
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        117⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        117⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        118⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        118⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        119⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        119⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        120⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        121⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        122⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        122⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        123⤵
        Adds Run key to start application
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        123⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        124⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        124⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        125⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        125⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        126⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        126⤵
        Drops file in System32 directory
        
        PID:2992
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        127⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        127⤵
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        128⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        128⤵
        Drops file in System32 directory
        
        PID:2364
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        129⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        129⤵
        
        PID:996
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        130⤵
        Adds Run key to start application
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        130⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        131⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        132⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        133⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        134⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        134⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        135⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        135⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        136⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        136⤵
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        137⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        137⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        138⤵
        Adds Run key to start application
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        138⤵
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        139⤵
        Adds Run key to start application
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        139⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        140⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        140⤵
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        141⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        141⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        142⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        142⤵
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        143⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        143⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        144⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        145⤵
        Adds Run key to start application
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        145⤵
        
        PID:608
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        146⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        146⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        147⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        147⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        148⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        148⤵
        
        PID:316
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        149⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        149⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        150⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        150⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        151⤵
        Drops file in System32 directory
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        151⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        152⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        152⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        153⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        153⤵
        
        PID:556
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        154⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        154⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        155⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        155⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        156⤵
        Adds Run key to start application
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        156⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        157⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        157⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        158⤵
        Adds Run key to start application
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        158⤵
        
        PID:896
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        159⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        159⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        160⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        160⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        161⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        161⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        162⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        162⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        163⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        163⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        164⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        164⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        165⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        165⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        166⤵
        Adds Run key to start application
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        166⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        167⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        167⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        168⤵
        Adds Run key to start application
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        168⤵
        
        PID:536
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        169⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        169⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        170⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        170⤵
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        171⤵
        Adds Run key to start application
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        171⤵
        
        PID:448
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        172⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        172⤵
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        173⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        173⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        174⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        174⤵
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        175⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        175⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        176⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        176⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        177⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        177⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        178⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        178⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        179⤵
        Adds Run key to start application
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        179⤵
        
        PID:340
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        180⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        180⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        181⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        181⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        182⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        182⤵
        
        PID:692
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        183⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        184⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        184⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        185⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        185⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        186⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        186⤵
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        187⤵
        Adds Run key to start application
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        187⤵
        
        PID:548
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        188⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        188⤵
        
        PID:380
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        189⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        189⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        190⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        190⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        191⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        191⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        192⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        192⤵
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        193⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        193⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        194⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        194⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        195⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        196⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        196⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        197⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        197⤵
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        198⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        198⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        199⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        199⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        200⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        201⤵
        Adds Run key to start application
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        201⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        202⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        202⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        203⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        203⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        204⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        204⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        205⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        205⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        206⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        207⤵
        Adds Run key to start application
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        207⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        208⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        208⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        209⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        209⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        210⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        210⤵
        
        PID:536
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        211⤵
        Adds Run key to start application
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        211⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        212⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        212⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        213⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        213⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        214⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        214⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        215⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        215⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        216⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        216⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        217⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        217⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        218⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        218⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        219⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        219⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        220⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        220⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        221⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        221⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        222⤵
        Adds Run key to start application
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        222⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        223⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        223⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        224⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        225⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        225⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        226⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        226⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        227⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        227⤵
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        228⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        228⤵
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        229⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        229⤵
        
        PID:588
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        230⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        230⤵
        
        PID:652
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        231⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        231⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        232⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        232⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        233⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        233⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        234⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        234⤵
        
        PID:568
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        235⤵
        Adds Run key to start application
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        235⤵
        
        PID:484
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        236⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        236⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        237⤵
        Adds Run key to start application
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        237⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        238⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        238⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        239⤵
        Adds Run key to start application
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        239⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        240⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        240⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        241⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        241⤵
        Drops file in System32 directory
        
        PID:1424
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        242⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        242⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        243⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        243⤵
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        244⤵
        Adds Run key to start application
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        244⤵
        Drops file in System32 directory
        
        PID:2568
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        245⤵
        Adds Run key to start application
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        245⤵
        Drops file in System32 directory
        
        PID:2132
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        246⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        246⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        247⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        248⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        248⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        249⤵
        Adds Run key to start application
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        249⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:600
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        250⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        250⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        251⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        251⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        252⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        252⤵
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        253⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        253⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        254⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        254⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        255⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        255⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        256⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        256⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        257⤵
        Adds Run key to start application
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        257⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        258⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        258⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        259⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        259⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        260⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        260⤵
        
        PID:892
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        261⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        261⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        262⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        262⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        263⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        263⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        264⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        264⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        265⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        265⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        266⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        266⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        267⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        267⤵
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        268⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        269⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        269⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        270⤵
        System Location Discovery: System Language Discovery
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        270⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        271⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        271⤵
        
        PID:656
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        272⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        272⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        273⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        273⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        274⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        274⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        275⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        275⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        276⤵
        Adds Run key to start application
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        276⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        277⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        277⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        278⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        278⤵
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        279⤵
        System Location Discovery: System Language Discovery
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        279⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        280⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        280⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        281⤵
        Adds Run key to start application
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        281⤵
        
        PID:724
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        282⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        282⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        283⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        283⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        284⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        284⤵
        
        PID:692
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        285⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        285⤵
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        286⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        286⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        287⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        287⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        288⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        288⤵
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        289⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        289⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        290⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        290⤵
        
        PID:860
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        291⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        291⤵
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        292⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        292⤵
        Drops file in System32 directory
        
        PID:560
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        293⤵
        Adds Run key to start application
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        293⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        294⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        294⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        295⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        295⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        296⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        296⤵
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        297⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        297⤵
        
        PID:556
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        298⤵
        Adds Run key to start application
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        298⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        299⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        299⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        300⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        300⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        301⤵
        Adds Run key to start application
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        301⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        302⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        302⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        303⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        303⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        304⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        304⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        305⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        305⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        306⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        306⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        307⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        307⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        308⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        308⤵
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        309⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        309⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        310⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        310⤵
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        311⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        311⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        312⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        312⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        313⤵
        Adds Run key to start application
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        313⤵
        Drops file in System32 directory
        
        PID:604
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        314⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        314⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        315⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        315⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        316⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        316⤵
        
        PID:596
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        317⤵
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        317⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        318⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        318⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        319⤵
        System Location Discovery: System Language Discovery
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        319⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        320⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        320⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        321⤵
        Adds Run key to start application
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        321⤵
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        322⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        322⤵
        
        PID:580
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        323⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        323⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        324⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        324⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        325⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        325⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        326⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        326⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        327⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        327⤵
        
        PID:692
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        328⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        328⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        329⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        329⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        330⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        330⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        331⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        331⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        332⤵
        Adds Run key to start application
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        332⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        333⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        333⤵
        Drops file in System32 directory
        
        PID:592
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        334⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        334⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        335⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        335⤵
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        336⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        336⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        337⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        337⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        338⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        338⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        339⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        339⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        340⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        340⤵
        Drops file in System32 directory
        
        PID:556
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        341⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        341⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        342⤵
        Adds Run key to start application
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        342⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        343⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        343⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        344⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        344⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        345⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        345⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        346⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        346⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        347⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        347⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        348⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        348⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        349⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        349⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        350⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        350⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        351⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        351⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        352⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        352⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        353⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        353⤵
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        354⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        354⤵
        
        PID:608
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        355⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        355⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        356⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        356⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        357⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        357⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        358⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        358⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        359⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        359⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        360⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        360⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        361⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        361⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        362⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        362⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        363⤵
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        363⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        364⤵
        Adds Run key to start application
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        364⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        365⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        365⤵
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        366⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        366⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        367⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        367⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        368⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        368⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        369⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        369⤵
        
        PID:692
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        370⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        370⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        371⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        371⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        372⤵
        Adds Run key to start application
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        372⤵
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        373⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        373⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        374⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        374⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        375⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        375⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        376⤵
        Adds Run key to start application
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        376⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        377⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        377⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        378⤵
        Adds Run key to start application
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        378⤵
        Drops file in System32 directory
        
        PID:976
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        379⤵
        Adds Run key to start application
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        379⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        380⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        380⤵
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        381⤵
        Drops file in System32 directory
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        381⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        382⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        382⤵
        
        PID:552
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        383⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        383⤵
        
        PID:916
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        384⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        384⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        385⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        385⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        386⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        386⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        387⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        387⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        388⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        388⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        389⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        389⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        390⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        390⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        391⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        391⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        392⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        392⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        393⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        393⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        394⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        394⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        395⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        395⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        396⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        396⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        397⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        397⤵
        
        PID:396
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        398⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        398⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        399⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        399⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        400⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        400⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        401⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        401⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        402⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        402⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        403⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        403⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        404⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        404⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        405⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        405⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        406⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        406⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        407⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        407⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        408⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        408⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        409⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        409⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        410⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        410⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        411⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        411⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        412⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        412⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        413⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        413⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        414⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        414⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        415⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        415⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        416⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        416⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        417⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        417⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        418⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        418⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        419⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        419⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        420⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        420⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        421⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        421⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        422⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        422⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        423⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        423⤵
        
        PID:916
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        424⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        424⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        425⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        425⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        426⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        426⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        427⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        427⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        428⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        428⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        429⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        429⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        430⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        430⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        431⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        431⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        432⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        432⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        433⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        433⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        434⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        434⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        435⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        435⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        436⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        436⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        437⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        437⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        438⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        438⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        439⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        439⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        440⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        440⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        441⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        441⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        442⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        442⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        443⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        443⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        444⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        444⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        445⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        445⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        446⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        446⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        447⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        447⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        448⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        448⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        449⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        449⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        450⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        450⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        451⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        451⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        452⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        452⤵
        
        PID:628
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        453⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        453⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        454⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        454⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        455⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        455⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        456⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        456⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        457⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        457⤵
        
        PID:944
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        458⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        458⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        459⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        459⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        460⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        460⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        461⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        461⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        462⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        462⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        463⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        463⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        464⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        464⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        465⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        465⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        466⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        466⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        467⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        467⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        468⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        468⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        469⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        469⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        470⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        470⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        471⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        471⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        472⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        472⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        473⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        473⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        474⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        474⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        475⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        475⤵
        
        PID:592
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        476⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        476⤵
        
        PID:796
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        477⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        477⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        478⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        478⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        479⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        479⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        480⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        480⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        481⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        481⤵
        
        PID:484
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        482⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        482⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        483⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        483⤵
        
        PID:892
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        484⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        484⤵
        
        PID:884
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        485⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        485⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        486⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        486⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        487⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        487⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        488⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        488⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        489⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        489⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        490⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        490⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        491⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        491⤵
        
        PID:600
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        492⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        492⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        493⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        493⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        494⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        494⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        495⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        495⤵
        
        PID:652
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        496⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        496⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        497⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        497⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        498⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        498⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        499⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        499⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        500⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        500⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        501⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        501⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        502⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        502⤵
        
        PID:996
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        503⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        503⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        504⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        504⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        505⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        505⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        506⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        506⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        507⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        507⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        508⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        508⤵
        
        PID:340
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        509⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        509⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        510⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        510⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        511⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        511⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        512⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\KeyHack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KeyHack.exe"
        512⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\28463\HSGA.exe
        
        "C:\Windows\system32\28463\HSGA.exe"
        513⤵
        
        PID:2028
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\LICENSE.txt
  2⤵
  - Loads dropped DLL
  - Opens file in notepad (likely ransom note)
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@91B6.tmp

Filesize
1.2MB

MD5
b936f69aba0877a4594a037c3858a916

SHA1
a25915275748e1fd1bfb38bbbd95cd6a05f8d248

SHA256
569364f456321c4ef5fda6b21f403587228988bfa4585552544baa34db87aff2

SHA512
31faadf7bde7da3ad5336607e0d4ab1a2d12a6fb73d8c8609acd3cd11e3c72e80cc455088ddb3031df46a70705ab526213778d2ed1987bc23c314960877b35d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LICENSE.txt

Filesize
1KB

MD5
637ba3c6422058aa92f0ba16ae9c0063

SHA1
48fc6e59035f541dd7e80d821ac4f86a5924915f

SHA256
57558380c4285203cbfe630a20b59c27c85ff10be918684ba72386e75ca3aa1a

SHA512
7d18fd5590e433084bb7acc0546f8bc17c4211fc063de7d568a02988df58aefa91b25881a029cfc44f2cad828092c2ff5c344d3d7f80b574ecf8f954f1204cf8

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
b8fa30233794772b8b76b4b1d91c7321

SHA1
0cf9561be2528944285e536f41d502be24c3aa87

SHA256
14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

SHA512
10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

Download Submit
C:\Windows\SysWOW64\28463\HSGA.001

Filesize
468B

MD5
69f009f3dc00fce64638ae65327a3262

SHA1
c2193cb119897fb28fc8827067e37be2f04fe39f

SHA256
902069cbd5cfa9c874eeba9845b8e1ff4117aa42cbbdf0f926063bed892b51e6

SHA512
fdc00e6c98ce7eec68883a5b5b2667ba7de84f28c1062b055581e9cb90b1ecfe00d19adf97fb024ebfd5a61f4b00c3c4d9570ec4e316566747c5bc4b88f1ef0a

Download Submit
C:\Windows\SysWOW64\28463\HSGA.007

Filesize
5KB

MD5
b5a87d630436f958c6e1d82d15f98f96

SHA1
d3ff5e92198d4df0f98a918071aca53550bf1cff

SHA256
a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

SHA512
fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

Download Submit
C:\Windows\SysWOW64\28463\HSGA.exe

Filesize
473KB

MD5
17535dddecf8cb1efdba1f1952126547

SHA1
a862a9a3eb6c201751be1038537522a5281ea6cb

SHA256
1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

SHA512
b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

Download Submit
\Users\Admin\AppData\Local\Temp\@90CB.tmp

Filesize
4KB

MD5
c3679c3ff636d1a6b8c65323540da371

SHA1
d184758721a426467b687bec2a4acc80fe44c6f8

SHA256
d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

SHA512
494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

Download Submit
\Users\Admin\AppData\Local\Temp\KeyHack.exe

Filesize
725KB

MD5
0af6c361527d574bc4f6ca7cf40ad8ed

SHA1
a50d503e5fb8f5ce02561cbcdda82b14a2f53b18

SHA256
1160bdb62f9a021e139073c821a8e164bf20a86754b578fc0a5dd97fb645e9c3

SHA512
343935b99a74cdeecf3338e54fb1f22a116b5ba87d93b29753e9ab6d09f355fb806544d1530ce6c64c61abae06c1fa0d51c303201f3f7622b6d37f3aa1136b80

Download Submit
\Windows\SysWOW64\28463\HSGA.006

Filesize
8KB

MD5
43f02e9974b1477c1e6388882f233db0

SHA1
f3e27b231193f8d5b2e1b09d05ae3a62795cf339

SHA256
3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

SHA512
e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

Download Submit
memory/1364-3265-0x0000000077690000-0x000000007778A000-memory.dmp

Filesize
1000KB

Download
memory/1364-13375-0x0000000002780000-0x000000000278B000-memory.dmp

Filesize
44KB

Download
memory/1364-16137-0x0000000077570000-0x000000007768F000-memory.dmp

Filesize
1.1MB

Download
memory/1364-16138-0x0000000077690000-0x000000007778A000-memory.dmp

Filesize
1000KB

Download
memory/1364-15798-0x0000000077690000-0x000000007778A000-memory.dmp

Filesize
1000KB

Download
memory/1364-810-0x0000000077570000-0x000000007768F000-memory.dmp

Filesize
1.1MB

Download
memory/1364-811-0x0000000077690000-0x000000007778A000-memory.dmp

Filesize
1000KB

Download
memory/1364-15799-0x00000000027A0000-0x000000000281B000-memory.dmp

Filesize
492KB

Download
memory/1364-3264-0x0000000077570000-0x000000007768F000-memory.dmp

Filesize
1.1MB

Download
memory/1364-4389-0x0000000077690000-0x000000007778A000-memory.dmp

Filesize
1000KB

Download
memory/1364-4388-0x0000000077570000-0x000000007768F000-memory.dmp

Filesize
1.1MB

Download
memory/1364-7342-0x0000000077690000-0x000000007778A000-memory.dmp

Filesize
1000KB

Download
memory/1364-7341-0x0000000077570000-0x000000007768F000-memory.dmp

Filesize
1.1MB

Download
memory/1364-8359-0x0000000077570000-0x000000007768F000-memory.dmp

Filesize
1.1MB

Download
memory/1364-8360-0x0000000077690000-0x000000007778A000-memory.dmp

Filesize
1000KB

Download
memory/1364-9365-0x0000000077690000-0x000000007778A000-memory.dmp

Filesize
1000KB

Download
memory/1364-9364-0x0000000077570000-0x000000007768F000-memory.dmp

Filesize
1.1MB

Download
memory/1364-9696-0x0000000077690000-0x000000007778A000-memory.dmp

Filesize
1000KB

Download
memory/1364-9695-0x0000000077570000-0x000000007768F000-memory.dmp

Filesize
1.1MB

Download
memory/1364-15797-0x0000000077570000-0x000000007768F000-memory.dmp

Filesize
1.1MB

Download
memory/1364-13374-0x0000000077690000-0x000000007778A000-memory.dmp

Filesize
1000KB

Download
memory/2156-26-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2156-1-0x0000000000530000-0x0000000000620000-memory.dmp

Filesize
960KB

Download
memory/2156-25-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/2156-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2156-2-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads