Because you missed a persistence mechanism—likely a scheduled task, a Windows service, or a second dropper file (like svchost.exe fake). Run a full offline antivirus scan.
Upon execution, the malware:
This variant is the most widespread. Attackers rename a keylogger or credential stealer to ghost64.exe . Once executed, it: ghost64exe