35155e8468c1287a21e03699a55325378001fa060ee79a1db8f5b02e82adc33d

Analysis

max time kernel
1802s
max time network
1161s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
12-09-2024 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NexusChecker.exe
Size

605.6MB
MD5

2ba4db56200d2b07505c1eff5faed706
SHA1

5cf6b2fcd1fd2f93a324151f86b124ea2bb94dd6
SHA256

543fee52f65842ef6397ceca2b2516785103e93aecc58d340360ee76260684fa
SHA512

59873ce651896d3a3fc11656b3e3a1e56b94be13bf7244521c29194d75517514325765a00e1da9189b15dd291b09b5fb43509d61599c4ea0fe77a053c5f988b1
SSDEEP

49152:lNjqYcOatzfsFfG/oDx4tDhdLDG15f9pTo0trQyYxQw:lNjFcOaxYG/M43HA5fVt8Q

Score

9^/10

discovery evasion execution themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 32 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	NexusChecker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4088	powershell.exe
1592	powershell.exe
3096	powershell.exe
3696	powershell.exe
4572	powershell.exe
3272	powershell.exe
1524	powershell.exe
4912	powershell.exe
4900	powershell.exe
3248	powershell.exe
1500	powershell.exe
1156	powershell.exe
2316	powershell.exe
2680	powershell.exe
3308	powershell.exe
4524	powershell.exe
1044	powershell.exe
4892	powershell.exe
2960	powershell.exe
5028	powershell.exe
4452	powershell.exe
4620	powershell.exe
1068	powershell.exe
2512	powershell.exe
3588	powershell.exe
1736	powershell.exe
1576	powershell.exe
4468	powershell.exe
4676	powershell.exe
1412	powershell.exe
3924	powershell.exe
4572	powershell.exe
5044	powershell.exe
980	powershell.exe
4764	powershell.exe
4664	powershell.exe
672	powershell.exe
1484	powershell.exe
4628	powershell.exe
112	powershell.exe
2624	powershell.exe
3868	powershell.exe
2532	powershell.exe
4768	powershell.exe
1892	powershell.exe
1972	powershell.exe
2976	powershell.exe
2948	powershell.exe
1608	powershell.exe
2212	powershell.exe
5000	powershell.exe
1700	powershell.exe
1792	powershell.exe
4112	powershell.exe
832	powershell.exe
3472	powershell.exe
1912	powershell.exe
4852	powershell.exe
1036	powershell.exe
4068	powershell.exe
1452	powershell.exe
4004	powershell.exe
4664	powershell.exe
400	powershell.exe

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NexusChecker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NexusChecker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe

Executes dropped EXE 31 IoCs

pid	Process
2844	ULEXPY.exe
2728	ULEXPY.exe
2224	ULEXPY.exe
932	ULEXPY.exe
4900	ULEXPY.exe
2988	ULEXPY.exe
4832	ULEXPY.exe
3752	ULEXPY.exe
3932	ULEXPY.exe
3292	ULEXPY.exe
2880	ULEXPY.exe
1080	ULEXPY.exe
1592	ULEXPY.exe
3588	ULEXPY.exe
4820	ULEXPY.exe
4632	ULEXPY.exe
1240	ULEXPY.exe
2516	ULEXPY.exe
2328	ULEXPY.exe
4212	ULEXPY.exe
3920	ULEXPY.exe
3584	ULEXPY.exe
3452	ULEXPY.exe
1156	ULEXPY.exe
3468	ULEXPY.exe
2984	ULEXPY.exe
3396	ULEXPY.exe
1460	ULEXPY.exe
1792	ULEXPY.exe
112	ULEXPY.exe
2924	ULEXPY.exe

Themida packer 48 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral4/memory/4240-0-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral4/memory/4240-2-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral4/memory/4240-3-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral4/memory/4240-4-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral4/memory/4240-6-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral4/memory/4240-5-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral4/memory/4240-82-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral4/memory/2844-87-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2844-88-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2844-89-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2844-90-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2844-91-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2844-130-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2728-135-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2728-136-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2728-137-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2728-138-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2728-139-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2844-184-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2224-190-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2224-191-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2224-193-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2224-192-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2224-194-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2844-234-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/932-240-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/932-241-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/932-242-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/932-243-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/932-244-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/4900-295-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/4900-296-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/4900-297-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/4900-298-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/4900-299-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2988-345-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2988-346-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2988-347-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2988-348-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2988-349-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/4832-400-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/3752-451-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/3932-507-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/3292-558-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/2880-609-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/1080-660-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/1592-711-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida
behavioral4/memory/3588-762-0x0000000000CC0000-0x0000000001343000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 32 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NexusChecker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 32 IoCs

pid	Process
4240	NexusChecker.exe
2844	ULEXPY.exe
2728	ULEXPY.exe
2224	ULEXPY.exe
932	ULEXPY.exe
4900	ULEXPY.exe
2988	ULEXPY.exe
4832	ULEXPY.exe
3752	ULEXPY.exe
3932	ULEXPY.exe
3292	ULEXPY.exe
2880	ULEXPY.exe
1080	ULEXPY.exe
1592	ULEXPY.exe
3588	ULEXPY.exe
4820	ULEXPY.exe
4632	ULEXPY.exe
1240	ULEXPY.exe
2516	ULEXPY.exe
2328	ULEXPY.exe
4212	ULEXPY.exe
3920	ULEXPY.exe
3584	ULEXPY.exe
3452	ULEXPY.exe
1156	ULEXPY.exe
3468	ULEXPY.exe
2984	ULEXPY.exe
3396	ULEXPY.exe
1460	ULEXPY.exe
1792	ULEXPY.exe
112	ULEXPY.exe
2924	ULEXPY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1560	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4572	powershell.exe
1452	powershell.exe
1452	powershell.exe
4572	powershell.exe
2680	powershell.exe
4004	powershell.exe
2680	powershell.exe
4004	powershell.exe
1412	powershell.exe
3472	powershell.exe
1412	powershell.exe
3472	powershell.exe
4452	powershell.exe
3272	powershell.exe
4452	powershell.exe
3272	powershell.exe
4664	powershell.exe
1524	powershell.exe
4664	powershell.exe
1524	powershell.exe
2532	powershell.exe
3588	powershell.exe
2532	powershell.exe
3588	powershell.exe
4764	powershell.exe
1912	powershell.exe
4764	powershell.exe
1912	powershell.exe
4664	powershell.exe
1608	powershell.exe
1608	powershell.exe
4664	powershell.exe
4852	powershell.exe
4768	powershell.exe
4852	powershell.exe
4768	powershell.exe
2212	powershell.exe
1044	powershell.exe
2212	powershell.exe
1044	powershell.exe
4912	powershell.exe
3924	powershell.exe
3924	powershell.exe
4912	powershell.exe
4088	powershell.exe
4628	powershell.exe
4088	powershell.exe
4628	powershell.exe
4620	powershell.exe
4892	powershell.exe
4620	powershell.exe
4892	powershell.exe
1500	powershell.exe
4572	powershell.exe
1500	powershell.exe
4572	powershell.exe
1156	powershell.exe
112	powershell.exe
1156	powershell.exe
112	powershell.exe
400	powershell.exe
2624	powershell.exe
400	powershell.exe
2624	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	400	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	4524	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 4572	4240	NexusChecker.exe	81
PID 4240 wrote to memory of 4572	4240	NexusChecker.exe	81
PID 4240 wrote to memory of 4572	4240	NexusChecker.exe	81
PID 4240 wrote to memory of 1452	4240	NexusChecker.exe	83
PID 4240 wrote to memory of 1452	4240	NexusChecker.exe	83
PID 4240 wrote to memory of 1452	4240	NexusChecker.exe	83
PID 4240 wrote to memory of 4224	4240	NexusChecker.exe	85
PID 4240 wrote to memory of 4224	4240	NexusChecker.exe	85
PID 4240 wrote to memory of 4224	4240	NexusChecker.exe	85
PID 4224 wrote to memory of 1560	4224	cmd.exe	87
PID 4224 wrote to memory of 1560	4224	cmd.exe	87
PID 4224 wrote to memory of 1560	4224	cmd.exe	87
PID 4224 wrote to memory of 2844	4224	cmd.exe	88
PID 4224 wrote to memory of 2844	4224	cmd.exe	88
PID 4224 wrote to memory of 2844	4224	cmd.exe	88
PID 2844 wrote to memory of 2680	2844	ULEXPY.exe	89
PID 2844 wrote to memory of 2680	2844	ULEXPY.exe	89
PID 2844 wrote to memory of 2680	2844	ULEXPY.exe	89
PID 2844 wrote to memory of 4004	2844	ULEXPY.exe	91
PID 2844 wrote to memory of 4004	2844	ULEXPY.exe	91
PID 2844 wrote to memory of 4004	2844	ULEXPY.exe	91
PID 2844 wrote to memory of 1876	2844	ULEXPY.exe	92
PID 2844 wrote to memory of 1876	2844	ULEXPY.exe	92
PID 2844 wrote to memory of 1876	2844	ULEXPY.exe	92
PID 2728 wrote to memory of 1412	2728	ULEXPY.exe	96
PID 2728 wrote to memory of 1412	2728	ULEXPY.exe	96
PID 2728 wrote to memory of 1412	2728	ULEXPY.exe	96
PID 2728 wrote to memory of 3472	2728	ULEXPY.exe	98
PID 2728 wrote to memory of 3472	2728	ULEXPY.exe	98
PID 2728 wrote to memory of 3472	2728	ULEXPY.exe	98
PID 2224 wrote to memory of 3272	2224	ULEXPY.exe	101
PID 2224 wrote to memory of 3272	2224	ULEXPY.exe	101
PID 2224 wrote to memory of 3272	2224	ULEXPY.exe	101
PID 2224 wrote to memory of 4452	2224	ULEXPY.exe	103
PID 2224 wrote to memory of 4452	2224	ULEXPY.exe	103
PID 2224 wrote to memory of 4452	2224	ULEXPY.exe	103
PID 932 wrote to memory of 4664	932	ULEXPY.exe	106
PID 932 wrote to memory of 4664	932	ULEXPY.exe	106
PID 932 wrote to memory of 4664	932	ULEXPY.exe	106
PID 932 wrote to memory of 1524	932	ULEXPY.exe	108
PID 932 wrote to memory of 1524	932	ULEXPY.exe	108
PID 932 wrote to memory of 1524	932	ULEXPY.exe	108
PID 4900 wrote to memory of 2532	4900	ULEXPY.exe	111
PID 4900 wrote to memory of 2532	4900	ULEXPY.exe	111
PID 4900 wrote to memory of 2532	4900	ULEXPY.exe	111
PID 4900 wrote to memory of 3588	4900	ULEXPY.exe	112
PID 4900 wrote to memory of 3588	4900	ULEXPY.exe	112
PID 4900 wrote to memory of 3588	4900	ULEXPY.exe	112
PID 2988 wrote to memory of 4764	2988	ULEXPY.exe	116
PID 2988 wrote to memory of 4764	2988	ULEXPY.exe	116
PID 2988 wrote to memory of 4764	2988	ULEXPY.exe	116
PID 2988 wrote to memory of 1912	2988	ULEXPY.exe	118
PID 2988 wrote to memory of 1912	2988	ULEXPY.exe	118
PID 2988 wrote to memory of 1912	2988	ULEXPY.exe	118
PID 4832 wrote to memory of 4664	4832	ULEXPY.exe	121
PID 4832 wrote to memory of 4664	4832	ULEXPY.exe	121
PID 4832 wrote to memory of 4664	4832	ULEXPY.exe	121
PID 4832 wrote to memory of 1608	4832	ULEXPY.exe	123
PID 4832 wrote to memory of 1608	4832	ULEXPY.exe	123
PID 4832 wrote to memory of 1608	4832	ULEXPY.exe	123
PID 3752 wrote to memory of 4852	3752	ULEXPY.exe	126
PID 3752 wrote to memory of 4852	3752	ULEXPY.exe	126
PID 3752 wrote to memory of 4852	3752	ULEXPY.exe	126
PID 3752 wrote to memory of 4768	3752	ULEXPY.exe	128

C:\Users\Admin\AppData\Local\Temp\NexusChecker.exe
"C:\Users\Admin\AppData\Local\Temp\NexusChecker.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s39s.0.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1560
- - C:\ProgramData\software\ULEXPY.exe
    "C:\ProgramData\software\ULEXPY.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2680
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4004
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "ULEXPY" /tr C:\ProgramData\software\ULEXPY.exe /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1876

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3472

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3272
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4452

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:932
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3588

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4768

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3932
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3292
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3924

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2880
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4628

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1080
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4892

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1592
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1500

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3588
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:112

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4820
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:400
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:4632
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1592

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1240
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3096
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3308

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2516
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5000

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2328
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1700

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3696
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1736

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3920
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:832

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1792

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3452
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4900

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1156
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4068

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3468
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3868

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:2984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1892

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2512

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:1460
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4676
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5028

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1792
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4112

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:112
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4524
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2948

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2924
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3248
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2076b8f54a382935a8afc34c3a12bb64

SHA1
5233d200d68fd6a87f7c067805b1ff36543cea6d

SHA256
1d1a1d6a00ab5d69abd3fcff636ac5e407110aabc005008945146fb693e789fb

SHA512
f5f77a4d641f9f80ec7a49bd02555b06e258affa3318c70d985d3c2d780cfc727b5d6e4280e9b027c8ba44850e915e6939c0e62cafa7337689ca0931fa661946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c17125b2846447f3a4b3d1f730fc7f18

SHA1
de12ca7779f8c08bda3c7c11ef9ba3f70c9bab89

SHA256
de20284f69db74f65798f51f7142893754a3b37b126380942e7ca9bd51a2aff1

SHA512
53fc7680b12d9841c6f6c36ebba8f1ec6676121d1b98ef9247414e4b9773fefd8e560483e2faec20a77369c5e879b2be8a8b483dc8ec0c5847e2ff942c271edc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5f917e88ee38410dec7d18b58d57782e

SHA1
5237017c073a9208a995995367922803e0b38595

SHA256
1c9f8bea21d5c3c0b58a922059853889810fa37e666be01be64a6a94459eb7b7

SHA512
812602aef55eeb5278aaaf6ccf7fb27a9bf1f25cf374538b03b30742ffa4ef8840028b285ee8c1d471cf03c644a0d505eccac673958a90a055e6c51c19a6a5a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
296B

MD5
577727e71a1ca291e88e33ae71fb0200

SHA1
0d876cf168df2589c250841fffd26872870cff72

SHA256
904cbb4adb689ef1abf094b0017333de8a960e234a88abc198e74f6c7c12957f

SHA512
cdfb437607119924237ceda13b10a2bddfc7e2f821a4b5593f336daf86353f67463940946354dfc3941fe8910157e463a3a979d056393f33154dbb056355fecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
41337c35f5f19a2929112102df90c416

SHA1
c2891d1f860b3a697aa57ea8973ca0ecdf4eec04

SHA256
133ddb2b89b3a04253a2c1f0004d3a599780edd97be08aba51217799c9c2251f

SHA512
6543644e9aab55b76d47a3bd2390694ca0da726f9d7232d99a6ca345d8eef68b38bb3d6a47934e0fed499745a60f4f6376b49630045a1c2b235eebe51a0ed2b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3528d5079b025548c2473b76e6588cae

SHA1
498c3588a354e5d2661ed15f470e2888b03f898d

SHA256
ffb3fd07505100265ba14c3fab0b4f9cc49ec46fcfcd2634bf8e44bc1b19a6fc

SHA512
0cd7b35018b3e04f490049bc8e8de837adb6755eab3cc8afb72653b729da1a79432cdadfade5489f59f0f47ccafb5b2b665ac5aa3904a82d6198fa6f444b0fe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
304B

MD5
6cf42c263672956b2cecae4e7cb159c3

SHA1
e95c1a56dca6aaa74d9094a519eb3c19a23ad5a9

SHA256
e6ffc4cf432f70df73ec96c894eb05691e838b810d9883ca3cb1e895e096fb84

SHA512
479230a5e4fe33174521adec7f82ea5696392e57b3bdaeeb2e5fb7be46ca0c3ba282cd3a6c2aa13e1a77fe8d13d7da343e22f890bffa84b66e61dc5c2d68e609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
83e94639c75231aadad115cfab88e050

SHA1
adf403d09cf4730391a3bac80b8e81e3d8d46ee7

SHA256
7aa0ab4ec0e6e157513b14a256af762cd28fa6bbe184b3a49844ca681112b170

SHA512
f844cfd2dfa1d9f158124d33ffb3bf0de8c8a3cbfceddfd08ff5065aea1356e897b9b17e0499c2e41c28d0e8eafe9de0d1b94121f20c3559988270ab1db98cef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ac8a3fb714d369b663691dd9ef237822

SHA1
411a6b35736a7c8927bda39895e187bcc2e5e51f

SHA256
ad009553d772998f15ebe24a368a661a1575baf037a75b2f0148b4b1a4123445

SHA512
5030520bc093ce2852c2eac6da2c8535a452a09bfde6ac39f2b0a62103640af422eb41256a1fe2c655bac24234f4def89ad330091ee2ba623d1fb1e078e73856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
204B

MD5
a297b1dc4141d0e0b00d029321893ffa

SHA1
fc42c76bd05c04e8fbd19451e46f72a04dde3a8c

SHA256
16e41b6f5e1bac9514ec40bdc31d8b6276968622c5459e5b55ac8437cb4cfe75

SHA512
9946303e2257093f15d8b32c2aecd734ca86a41dae36dc58e64d0d1a905e1033463def83b6f119389ddeecafac313e0f179d280f4af488c7fae282f1a1064e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ecfc71b39de8cf298a7d96bb3d4e68f7

SHA1
66a2c7fe1e989dce71c492040b08619c0538ebc3

SHA256
be08a2147f15d13dee2edcc1dbcd75e3a5dc671341afa7cd3231df0344d21496

SHA512
d469ca9f18e442962c2cfe5a3dee835011410126eceb37af605c61e9fb4c5f892fdf058f3bfe8d66c50fbe5affb6d4130426aa53c17eb409b11cc1f87b83c890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
bd3db68af8e5e66271cffd96eb4d9b3f

SHA1
d1a25a3f4c67b5f80441c877c1e8e0d749b39b48

SHA256
dd64f9556cca44a1f79a7a72ad4723a19320e3f1e48959f2ef116f74873a14c7

SHA512
d5d2fabf971d5eb68d98118cea32f4de13e36ea9a2697618578d09418912d6496df5c4d71fd14294db9d5e237e21d5f38d622ec4202db809790218a7a7bdb8b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
badfbb81a739fa9844841188a7b0bd38

SHA1
372935bd6822fa7b1564f4037e4b73752c9289db

SHA256
b7a8606cc2b24ae03b6ec977bb7562128b49100249fca379aa146b67a49d7f77

SHA512
29537b9ba8a09564abc922910b9b263d6fcfa9a5e59cc338097441b095fdccc6272ee84f5075c1f25a33e733efd56a7bff472e7202b6f128ccbb61a3585636f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2a434a541607a080690340564e272777

SHA1
4d791053141ca494b1e9b8711ef0a25a3506e8ef

SHA256
075d5d9ca3bc9fd8360b37295afd5112d13e670e950fb39d9d05e425be029ed0

SHA512
dd9091025af21e98a8b746cb6ac0e8a9652c68a29bab8d89c7f7a900f01c8b51e6655b829ac8e832fc986b55e80f5e0e1780f2529f8b677bdaefde89ca5ec9a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3e3ff7b00a7f8e02ea15cd49bfe258c5

SHA1
a6e6121b83bb41f685e482c79a5fc9fdea4eb42c

SHA256
09c8b04c73044ec8f57e81ae74a3165b2ccb35ec5507a16edc9a2eb95dcbc690

SHA512
bc51539e9924f87c1220f7db217ce8499aba63ac23e30b9eccbbba5345048cbb6e9db6bf3bd529a522730be03ab790a479e3fb49e0f80d09b55f7d38d1f80e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fa514f14d36b3db2acdabe24ae64907a

SHA1
7bca89569d0555d9a77a18db65d50a5c7b772259

SHA256
54e374915124d8d4fb63673ed49fe61a8add5e9d033f2582a27205be42053dcc

SHA512
f61f3b11467cd002aa66f4c76fe5f72814faa0f11e08605f22cb185b80bb4bba5ceb965fed7e6aa01d8bf54cdbb45562796066dbe8fd102cf68cd7bc3e37ac1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
063abbb19e8c2afe6e15506bc1a27f55

SHA1
2d3ff7d8052594f1e6ec01ee63857df8247dfaf8

SHA256
eb03b7d100e889cd076a0d94aa21a2e51b4962525f161bc812b3110f901bdfe5

SHA512
d275f50ef71759ac9d9820d3823319db55673a97b6ae066e34aa2bac1b5d8971ebe0ad2123510a9b7cf173251c95d94dd9a9d4109650f35554cc70a1e9e722c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
11f12792300fbb4fb824c1132091d326

SHA1
68e9cdd9836a84d853a5607cbf65a6f2c99d2882

SHA256
5d863f671bf02dfdbfcd86f4a19b30bf8d70eec8d1493164b67af359d0e58114

SHA512
bc91602e244659ad389f0aaa731d693112a115b9dbdfcfe1f083e3a5f9fbd24313e67fd10c06f3c4785fcc56619a319d6d1825f484d48dbf75a93795c2b08418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9fc3db0c60716053dffdd114e74d6698

SHA1
69b88c83ed402c663da9a7585729b269c268236c

SHA256
04fea2e6d1935882b159cbe44a41a3d0f2905b4ea0c3abb44f0b4c806fdc9880

SHA512
0451746219252cdcacf9a0d5a6d151b3106682b579e734b302881a399ffdb792eef5a0099a2130e8dc246f18a8a382fb3ea5ed7c9ddc7f7d7340ca60a30a71f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
5f363b37c53eeea0666b21cc3b158001

SHA1
9a79826f1a750e5dab29c421684b94fe6ca24e0b

SHA256
704943f9a3935c843f3f5d25392c12cbeed69274f27de93914e5796e205d9f61

SHA512
6ceab55d2447cc90f48d29698210659c1db85eaf533cb50a24e355b542e2de846d42a0c1f5c72996bdfa28df97b43a32990639572b0d583d59a0dc9aa88eec76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
aa852a1802fb1d22d28b45733abf505f

SHA1
6599778d16ce874fcf584cdd371017840b0ee3d0

SHA256
3df9a373e8d8aab060402bdcaec82b54c789d04c400258e1bd82aa2af51180ea

SHA512
540c09c6d20800e5aa2b654088792db7eb750defdb5aca6651350e70f7555271eb9a512e1f8caab3c6b13dc446c4d34a78d0c8239d3ddad067bdd03c6d37eb61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e060ef74a9c828268885786e2f1108c9

SHA1
984e5b6fe838d7310ebbba27c7f21d3600dcaa96

SHA256
5e657d1dc94bf37935f7da4ed4dd5b6369939a72ee275f531db541a7eb9602f3

SHA512
80acca4ebd355b85b9fbdcd79e75bfbf8e29fc6c5bdb81dc0dde0d5e14b4ee9c0399ced8ecf3b256d6cd951b814eb5a5fe27325ac8d1f25f4bddf1d13803e17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
08af4ed0b8656d22d94ab610adee6d31

SHA1
9d0c6c24d2e339cadce74b4c74fbf5a9149eee4b

SHA256
3e8c3398f08b394907baf5f7f8003ca552e6580853e7e3ac47c76e4df594742e

SHA512
3f6ab3647292047c3b496ab5a4be641dcbd62f7088bbacfe8549bbb7d328f6f7a156e5be4468f38c6fe55c1ce5609c27004d095a2d39e4fb13a84b43aac72bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wgxyjo4i.50x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\s39s.0.bat

Filesize
174B

MD5
6951562eae4417b9fe74e79a80df098a

SHA1
e9d7cd5f6c188b27cb8a404fba25aa5f7630ba1b

SHA256
5abec0670ea5be6348e7ea17691930fd2993a61cb7558db85740f10ce552341b

SHA512
93a94072be7644d950d937ff04b09c27a71ca2be0c98ee8323b0e1bb8570aeaa8e40b01b69dd94943b4cf5701ff382bad8359229c02d90d6439d142e708c0c97

Download Submit
memory/112-789-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/400-830-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/672-880-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/932-243-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/932-244-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/932-242-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/932-241-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/932-240-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/1036-1030-0x0000000074540000-0x000000007458C000-memory.dmp

Filesize
304KB

Download
memory/1044-534-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/1080-660-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/1156-780-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/1412-168-0x0000000007560000-0x0000000007604000-memory.dmp

Filesize
656KB

Download
memory/1412-145-0x0000000005CC0000-0x0000000006017000-memory.dmp

Filesize
3.3MB

Download
memory/1412-158-0x00000000068B0000-0x00000000068FC000-memory.dmp

Filesize
304KB

Download
memory/1412-159-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/1412-169-0x00000000078B0000-0x00000000078C1000-memory.dmp

Filesize
68KB

Download
memory/1412-170-0x00000000078F0000-0x0000000007905000-memory.dmp

Filesize
84KB

Download
memory/1452-58-0x0000000073B40000-0x00000000742F1000-memory.dmp

Filesize
7.7MB

Download
memory/1452-13-0x0000000073B40000-0x00000000742F1000-memory.dmp

Filesize
7.7MB

Download
memory/1452-8-0x0000000002470000-0x00000000024A6000-memory.dmp

Filesize
216KB

Download
memory/1452-38-0x00000000704F0000-0x000000007053C000-memory.dmp

Filesize
304KB

Download
memory/1452-63-0x0000000007000000-0x000000000700A000-memory.dmp

Filesize
40KB

Download
memory/1452-64-0x0000000007210000-0x00000000072A6000-memory.dmp

Filesize
600KB

Download
memory/1452-9-0x0000000073B40000-0x00000000742F1000-memory.dmp

Filesize
7.7MB

Download
memory/1452-75-0x0000000073B40000-0x00000000742F1000-memory.dmp

Filesize
7.7MB

Download
memory/1452-65-0x0000000007190000-0x00000000071A1000-memory.dmp

Filesize
68KB

Download
memory/1452-60-0x0000000073B40000-0x00000000742F1000-memory.dmp

Filesize
7.7MB

Download
memory/1452-61-0x0000000006F80000-0x0000000006F9A000-memory.dmp

Filesize
104KB

Download
memory/1452-34-0x0000000005C30000-0x0000000005C4E000-memory.dmp

Filesize
120KB

Download
memory/1452-66-0x00000000071C0000-0x00000000071CE000-memory.dmp

Filesize
56KB

Download
memory/1452-35-0x0000000005CE0000-0x0000000005D2C000-memory.dmp

Filesize
304KB

Download
memory/1500-729-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/1524-283-0x0000000007BE0000-0x0000000007BF1000-memory.dmp

Filesize
68KB

Download
memory/1524-284-0x0000000007C20000-0x0000000007C35000-memory.dmp

Filesize
84KB

Download
memory/1524-274-0x0000000074680000-0x00000000746CC000-memory.dmp

Filesize
304KB

Download
memory/1592-711-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/1592-889-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/1608-418-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/1912-376-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/2212-525-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/2224-190-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2224-191-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2224-193-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2224-192-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2224-194-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2532-317-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/2624-839-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/2680-109-0x00000000704F0000-0x000000007053C000-memory.dmp

Filesize
304KB

Download
memory/2728-138-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2728-135-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2728-136-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2728-137-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2728-139-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2844-184-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2844-87-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2844-88-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2844-89-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2844-90-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2844-91-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2844-234-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2844-130-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2880-609-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2960-980-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/2988-349-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2988-348-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2988-346-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2988-347-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/2988-345-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/3096-939-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/3272-221-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/3292-558-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/3308-930-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/3472-171-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/3588-326-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/3588-762-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/3752-451-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/3924-576-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/3932-507-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/4004-118-0x00000000704F0000-0x000000007053C000-memory.dmp

Filesize
304KB

Download
memory/4088-627-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/4240-1-0x0000000077C56000-0x0000000077C58000-memory.dmp

Filesize
8KB

Download
memory/4240-2-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/4240-3-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/4240-4-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/4240-6-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/4240-5-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/4240-82-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/4240-0-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/4452-212-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/4572-59-0x0000000073B40000-0x00000000742F1000-memory.dmp

Filesize
7.7MB

Download
memory/4572-76-0x0000000073B40000-0x00000000742F1000-memory.dmp

Filesize
7.7MB

Download
memory/4572-37-0x00000000704F0000-0x000000007053C000-memory.dmp

Filesize
304KB

Download
memory/4572-67-0x0000000007920000-0x0000000007935000-memory.dmp

Filesize
84KB

Download
memory/4572-16-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/4572-36-0x0000000007380000-0x00000000073B4000-memory.dmp

Filesize
208KB

Download
memory/4572-68-0x0000000007A30000-0x0000000007A4A000-memory.dmp

Filesize
104KB

Download
memory/4572-69-0x0000000007A10000-0x0000000007A18000-memory.dmp

Filesize
32KB

Download
memory/4572-15-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/4572-62-0x0000000007D10000-0x000000000838A000-memory.dmp

Filesize
6.5MB

Download
memory/4572-14-0x00000000054E0000-0x0000000005502000-memory.dmp

Filesize
136KB

Download
memory/4572-25-0x0000000005E90000-0x00000000061E7000-memory.dmp

Filesize
3.3MB

Download
memory/4572-7-0x0000000073B4E000-0x0000000073B4F000-memory.dmp

Filesize
4KB

Download
memory/4572-12-0x0000000073B40000-0x00000000742F1000-memory.dmp

Filesize
7.7MB

Download
memory/4572-47-0x0000000073B40000-0x00000000742F1000-memory.dmp

Filesize
7.7MB

Download
memory/4572-48-0x00000000068C0000-0x00000000068DE000-memory.dmp

Filesize
120KB

Download
memory/4572-10-0x0000000005680000-0x0000000005CAA000-memory.dmp

Filesize
6.2MB

Download
memory/4572-57-0x00000000075C0000-0x0000000007664000-memory.dmp

Filesize
656KB

Download
memory/4572-11-0x0000000073B40000-0x00000000742F1000-memory.dmp

Filesize
7.7MB

Download
memory/4572-738-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/4620-678-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/4628-636-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/4664-264-0x0000000074680000-0x00000000746CC000-memory.dmp

Filesize
304KB

Download
memory/4664-253-0x0000000005CF0000-0x0000000006047000-memory.dmp

Filesize
3.3MB

Download
memory/4664-273-0x0000000007230000-0x00000000072D4000-memory.dmp

Filesize
656KB

Download
memory/4664-263-0x00000000062D0000-0x000000000631C000-memory.dmp

Filesize
304KB

Download
memory/4664-427-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/4764-367-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/4768-482-0x0000000074540000-0x000000007458C000-memory.dmp

Filesize
304KB

Download
memory/4832-400-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/4852-471-0x0000000074540000-0x000000007458C000-memory.dmp

Filesize
304KB

Download
memory/4852-470-0x00000000064E0000-0x000000000652C000-memory.dmp

Filesize
304KB

Download
memory/4852-491-0x0000000007A50000-0x0000000007A65000-memory.dmp

Filesize
84KB

Download
memory/4852-452-0x0000000005E30000-0x0000000006187000-memory.dmp

Filesize
3.3MB

Download
memory/4852-481-0x0000000007A10000-0x0000000007A21000-memory.dmp

Filesize
68KB

Download
memory/4852-480-0x0000000007520000-0x00000000075C4000-memory.dmp

Filesize
656KB

Download
memory/4892-687-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/4900-297-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/4900-296-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/4900-295-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/4900-299-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/4900-298-0x0000000000CC0000-0x0000000001343000-memory.dmp

Filesize
6.5MB

Download
memory/4912-582-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download
memory/5000-989-0x00000000745A0000-0x00000000745EC000-memory.dmp

Filesize
304KB

Download