Ghost64exe -

DeviceProcessEvents | where FileName == "ghost64.exe" or ProcessCommandLine contains "svchost.exe" and ProcessCommandLine contains "suspended" | join kind=inner (DeviceProcessEvents | where ProcessName == "svchost.exe") on DeviceId | where Timeline offset between 0ms and 5000ms

(Windows Preinstallation Environment) to handle hardware with UEFI/EFI boot systems. Broadcom Community ghost64exe

-sure : Automatically answers "Yes" to all confirmation prompts. DeviceProcessEvents | where FileName == "ghost64

The primary role of ghost64.exe is to capture or restore a precise image of a hard drive or partition. forcing analysis into dynamic execution.

The binary is packed and deliberately stripped of static indicators, forcing analysis into dynamic execution.