2a5d727c5873b643775c52be3475543fef7fe43fe7605826f2574d64acdfb8e0

Analysis

max time kernel
1799s
max time network
1560s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anonix/Anonix.exe
Size

615.1MB
MD5

796c4e013accc1d47e263f2438248e5e
SHA1

dbca3bb74c9715a4b21259fa644a39a59bb438a7
SHA256

e934ef0b1bad86d0a8d2a08a90b64b309404b2983649f8e34d400704ce8c65c0
SHA512

5ae71ea3ac4f15c6143a424e1e2491294e5f2e5508ca4c05b6fa2676634140ec03e27b698ab0378726b421369e36988f56e016e145ba10b2d517577a00de926c
SSDEEP

49152:lNjqYcOatzfsFfG/oDx4tDhdLDG15f9pTo0trQyYxQw:lNjFcOaxYG/M43HA5fVt8Q

Score

9^/10

evasion execution themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 32 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

ULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeAnonix.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Anonix.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ULEXPY.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2364	powershell.exe
1760	powershell.exe
2644	powershell.exe
2824	powershell.exe
1676	powershell.exe
2096	powershell.exe
2908	powershell.exe
2996	powershell.exe
3048	powershell.exe
2996	powershell.exe
2524	powershell.exe
2944	powershell.exe
1900	powershell.exe
2460	powershell.exe
2724	powershell.exe
2640	powershell.exe
2524	powershell.exe
812	powershell.exe
1240	powershell.exe
1752	powershell.exe
2880	powershell.exe
2420	powershell.exe
1296	powershell.exe
2112	powershell.exe
1960	powershell.exe
2940	powershell.exe
320	powershell.exe
3060	powershell.exe
2184	powershell.exe
1064	powershell.exe
1852	powershell.exe
1956	powershell.exe
2896	powershell.exe
1808	powershell.exe
1836	powershell.exe
2256	powershell.exe
1612	powershell.exe
1108	powershell.exe
3020	powershell.exe
2612	powershell.exe
2388	powershell.exe
2512	powershell.exe
2824	powershell.exe
1364	powershell.exe
3000	powershell.exe
2696	powershell.exe
2688	powershell.exe
3064	powershell.exe
1600	powershell.exe
1716	powershell.exe
3064	powershell.exe
1644	powershell.exe
1508	powershell.exe
1588	powershell.exe
1692	powershell.exe
708	powershell.exe
1856	powershell.exe
1852	powershell.exe
2872	powershell.exe
1680	powershell.exe
1492	powershell.exe
3008	powershell.exe
3000	powershell.exe
1648	powershell.exe

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeAnonix.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Anonix.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Anonix.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ULEXPY.exe

Executes dropped EXE 31 IoCs

Processes:

ULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exe

pid	process
2528	ULEXPY.exe
2244	ULEXPY.exe
2120	ULEXPY.exe
2900	ULEXPY.exe
2604	ULEXPY.exe
2808	ULEXPY.exe
308	ULEXPY.exe
1992	ULEXPY.exe
1348	ULEXPY.exe
2704	ULEXPY.exe
2112	ULEXPY.exe
2388	ULEXPY.exe
2108	ULEXPY.exe
2468	ULEXPY.exe
576	ULEXPY.exe
2356	ULEXPY.exe
3048	ULEXPY.exe
892	ULEXPY.exe
1596	ULEXPY.exe
1752	ULEXPY.exe
948	ULEXPY.exe
2792	ULEXPY.exe
1844	ULEXPY.exe
2920	ULEXPY.exe
2484	ULEXPY.exe
1616	ULEXPY.exe
1932	ULEXPY.exe
1760	ULEXPY.exe
1680	ULEXPY.exe
2212	ULEXPY.exe
2832	ULEXPY.exe

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2660 cmd.exe

pid	process
2660	cmd.exe

Themida packer 56 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1232-0-0x00000000010F0000-0x0000000001773000-memory.dmp	themida
behavioral1/memory/1232-2-0x00000000010F0000-0x0000000001773000-memory.dmp	themida
behavioral1/memory/1232-4-0x00000000010F0000-0x0000000001773000-memory.dmp	themida
behavioral1/memory/1232-6-0x00000000010F0000-0x0000000001773000-memory.dmp	themida
behavioral1/memory/1232-5-0x00000000010F0000-0x0000000001773000-memory.dmp	themida
behavioral1/memory/1232-3-0x00000000010F0000-0x0000000001773000-memory.dmp	themida
behavioral1/memory/1232-26-0x00000000010F0000-0x0000000001773000-memory.dmp	themida
behavioral1/memory/2528-30-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2528-31-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2528-33-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2528-32-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2528-34-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2528-45-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2244-48-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2244-49-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2244-51-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2244-50-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2244-52-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2244-54-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2120-73-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2120-74-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2120-75-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2120-76-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2120-77-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2120-79-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2900-98-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2900-99-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2900-102-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2900-100-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2900-101-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2900-104-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2604-122-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2604-124-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2604-123-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2604-125-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2604-126-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2604-128-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2528-141-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2808-146-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2808-147-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2808-148-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2808-150-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2808-149-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2808-152-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/308-170-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/308-176-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/1992-195-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/1992-206-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/1348-220-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/1348-226-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2704-250-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2112-269-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2112-275-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2388-301-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2108-318-0x0000000000130000-0x00000000007B3000-memory.dmp	themida
behavioral1/memory/2108-324-0x0000000000130000-0x00000000007B3000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 32 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeAnonix.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Anonix.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ULEXPY.exe

Drops file in System32 directory 60 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 32 IoCs

Processes:

Anonix.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exeULEXPY.exe

pid	process
1232	Anonix.exe
2528	ULEXPY.exe
2244	ULEXPY.exe
2120	ULEXPY.exe
2900	ULEXPY.exe
2604	ULEXPY.exe
2808	ULEXPY.exe
308	ULEXPY.exe
1992	ULEXPY.exe
1348	ULEXPY.exe
2704	ULEXPY.exe
2112	ULEXPY.exe
2388	ULEXPY.exe
2108	ULEXPY.exe
2468	ULEXPY.exe
576	ULEXPY.exe
2356	ULEXPY.exe
3048	ULEXPY.exe
892	ULEXPY.exe
1596	ULEXPY.exe
1752	ULEXPY.exe
948	ULEXPY.exe
2792	ULEXPY.exe
1844	ULEXPY.exe
2920	ULEXPY.exe
2484	ULEXPY.exe
1616	ULEXPY.exe
1932	ULEXPY.exe
1760	ULEXPY.exe
1680	ULEXPY.exe
2212	ULEXPY.exe
2832	ULEXPY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2496 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1996 schtasks.exe

pid	process
2496	timeout.exe

pid	process
1996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
3020	powershell.exe
2364	powershell.exe
1808	powershell.exe
2944	powershell.exe
2688	powershell.exe
1644	powershell.exe
1364	powershell.exe
1760	powershell.exe
1508	powershell.exe
3000	powershell.exe
3048	powershell.exe
1836	powershell.exe
1852	powershell.exe
1588	powershell.exe
1752	powershell.exe
2256	powershell.exe
2612	powershell.exe
1692	powershell.exe
2880	powershell.exe
2420	powershell.exe
2640	powershell.exe
2996	powershell.exe
2524	powershell.exe
2824	powershell.exe
1852	powershell.exe
2940	powershell.exe
2872	powershell.exe
320	powershell.exe
1296	powershell.exe
3064	powershell.exe
3060	powershell.exe
1680	powershell.exe
1492	powershell.exe
812	powershell.exe
2112	powershell.exe
3008	powershell.exe
1612	powershell.exe
1676	powershell.exe
1716	powershell.exe
1600	powershell.exe
1108	powershell.exe
1956	powershell.exe
1240	powershell.exe
708	powershell.exe
2096	powershell.exe
1064	powershell.exe
2696	powershell.exe
3000	powershell.exe
2908	powershell.exe
2524	powershell.exe
2388	powershell.exe
1648	powershell.exe
1900	powershell.exe
2460	powershell.exe
2896	powershell.exe
1960	powershell.exe
3064	powershell.exe
1856	powershell.exe
2644	powershell.exe
2724	powershell.exe
2996	powershell.exe
2512	powershell.exe
2824	powershell.exe
2184	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Anonix.execmd.exeULEXPY.exetaskeng.exeULEXPY.exeULEXPY.exeULEXPY.exe

description	pid	process	target process
PID 1232 wrote to memory of 2364	1232	Anonix.exe	powershell.exe
PID 1232 wrote to memory of 2364	1232	Anonix.exe	powershell.exe
PID 1232 wrote to memory of 2364	1232	Anonix.exe	powershell.exe
PID 1232 wrote to memory of 2364	1232	Anonix.exe	powershell.exe
PID 1232 wrote to memory of 3020	1232	Anonix.exe	powershell.exe
PID 1232 wrote to memory of 3020	1232	Anonix.exe	powershell.exe
PID 1232 wrote to memory of 3020	1232	Anonix.exe	powershell.exe
PID 1232 wrote to memory of 3020	1232	Anonix.exe	powershell.exe
PID 1232 wrote to memory of 2660	1232	Anonix.exe	cmd.exe
PID 1232 wrote to memory of 2660	1232	Anonix.exe	cmd.exe
PID 1232 wrote to memory of 2660	1232	Anonix.exe	cmd.exe
PID 1232 wrote to memory of 2660	1232	Anonix.exe	cmd.exe
PID 2660 wrote to memory of 2496	2660	cmd.exe	timeout.exe
PID 2660 wrote to memory of 2496	2660	cmd.exe	timeout.exe
PID 2660 wrote to memory of 2496	2660	cmd.exe	timeout.exe
PID 2660 wrote to memory of 2496	2660	cmd.exe	timeout.exe
PID 2660 wrote to memory of 2528	2660	cmd.exe	ULEXPY.exe
PID 2660 wrote to memory of 2528	2660	cmd.exe	ULEXPY.exe
PID 2660 wrote to memory of 2528	2660	cmd.exe	ULEXPY.exe
PID 2660 wrote to memory of 2528	2660	cmd.exe	ULEXPY.exe
PID 2528 wrote to memory of 1808	2528	ULEXPY.exe	powershell.exe
PID 2528 wrote to memory of 1808	2528	ULEXPY.exe	powershell.exe
PID 2528 wrote to memory of 1808	2528	ULEXPY.exe	powershell.exe
PID 2528 wrote to memory of 1808	2528	ULEXPY.exe	powershell.exe
PID 2528 wrote to memory of 2944	2528	ULEXPY.exe	powershell.exe
PID 2528 wrote to memory of 2944	2528	ULEXPY.exe	powershell.exe
PID 2528 wrote to memory of 2944	2528	ULEXPY.exe	powershell.exe
PID 2528 wrote to memory of 2944	2528	ULEXPY.exe	powershell.exe
PID 2528 wrote to memory of 1996	2528	ULEXPY.exe	schtasks.exe
PID 2528 wrote to memory of 1996	2528	ULEXPY.exe	schtasks.exe
PID 2528 wrote to memory of 1996	2528	ULEXPY.exe	schtasks.exe
PID 2528 wrote to memory of 1996	2528	ULEXPY.exe	schtasks.exe
PID 1744 wrote to memory of 2244	1744	taskeng.exe	ULEXPY.exe
PID 1744 wrote to memory of 2244	1744	taskeng.exe	ULEXPY.exe
PID 1744 wrote to memory of 2244	1744	taskeng.exe	ULEXPY.exe
PID 1744 wrote to memory of 2244	1744	taskeng.exe	ULEXPY.exe
PID 2244 wrote to memory of 1644	2244	ULEXPY.exe	powershell.exe
PID 2244 wrote to memory of 1644	2244	ULEXPY.exe	powershell.exe
PID 2244 wrote to memory of 1644	2244	ULEXPY.exe	powershell.exe
PID 2244 wrote to memory of 1644	2244	ULEXPY.exe	powershell.exe
PID 2244 wrote to memory of 2688	2244	ULEXPY.exe	powershell.exe
PID 2244 wrote to memory of 2688	2244	ULEXPY.exe	powershell.exe
PID 2244 wrote to memory of 2688	2244	ULEXPY.exe	powershell.exe
PID 2244 wrote to memory of 2688	2244	ULEXPY.exe	powershell.exe
PID 1744 wrote to memory of 2120	1744	taskeng.exe	ULEXPY.exe
PID 1744 wrote to memory of 2120	1744	taskeng.exe	ULEXPY.exe
PID 1744 wrote to memory of 2120	1744	taskeng.exe	ULEXPY.exe
PID 1744 wrote to memory of 2120	1744	taskeng.exe	ULEXPY.exe
PID 2120 wrote to memory of 1760	2120	ULEXPY.exe	powershell.exe
PID 2120 wrote to memory of 1760	2120	ULEXPY.exe	powershell.exe
PID 2120 wrote to memory of 1760	2120	ULEXPY.exe	powershell.exe
PID 2120 wrote to memory of 1760	2120	ULEXPY.exe	powershell.exe
PID 2120 wrote to memory of 1364	2120	ULEXPY.exe	powershell.exe
PID 2120 wrote to memory of 1364	2120	ULEXPY.exe	powershell.exe
PID 2120 wrote to memory of 1364	2120	ULEXPY.exe	powershell.exe
PID 2120 wrote to memory of 1364	2120	ULEXPY.exe	powershell.exe
PID 1744 wrote to memory of 2900	1744	taskeng.exe	ULEXPY.exe
PID 1744 wrote to memory of 2900	1744	taskeng.exe	ULEXPY.exe
PID 1744 wrote to memory of 2900	1744	taskeng.exe	ULEXPY.exe
PID 1744 wrote to memory of 2900	1744	taskeng.exe	ULEXPY.exe
PID 2900 wrote to memory of 1508	2900	ULEXPY.exe	powershell.exe
PID 2900 wrote to memory of 1508	2900	ULEXPY.exe	powershell.exe
PID 2900 wrote to memory of 1508	2900	ULEXPY.exe	powershell.exe
PID 2900 wrote to memory of 1508	2900	ULEXPY.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Anonix\Anonix.exe
"C:\Users\Admin\AppData\Local\Temp\Anonix\Anonix.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\sy8.0.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2496

C:\ProgramData\software\ULEXPY.exe
"C:\ProgramData\software\ULEXPY.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "ULEXPY" /tr C:\ProgramData\software\ULEXPY.exe /f
4⤵
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1984

C:\Windows\system32\taskeng.exe
taskeng.exe {4D4806BD-D3EF-4355-863F-8772A591D6FE} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2356

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\ProgramData\software\ULEXPY.exe
C:\ProgramData\software\ULEXPY.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sy8.0.bat
Filesize
172B

MD5
74740240d6c1dfa97570b9901fa09041

SHA1
898161717892cbd801789cedb92ead3e48d4e884

SHA256
9348f37487825ad03a5bc91262776a8f9b354b605d3e0d1dcff63d3abb0f536e

SHA512
8d60a2cfe5db13986dbc563991e85102bd006feebc7146cc8f32e40dc29df0a5cd5ad68027e95bb70ccfaf876a2d611657e9776ec5ecfdc726e25dd53c515d7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7e8da6e97e6765e35f07639416734ab4

SHA1
906fade665a77411be246143a9d5732d28bf5468

SHA256
58f9f6e912a130f9700b8a6c64717f264c69c455b625a46b214cabe412d637dc

SHA512
76a205ea6f27784680b91f45777a10f1d316aec1390e3c3b7db0004e0203ffe6238901d5cb56e9db33279a33bfc4ee8f0638ef49a775165b04bcdd3e16458aaa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
df32326dce220a6ef130e0237e1cfeb8

SHA1
e61e603664190432e8102f2722a4378748bac387

SHA256
37bcdf761bce66f4ebec3240b90d770b9c4a601b35531874ee8b02f528b60d77

SHA512
9f23b3538dcc921c399aef097afafa89e32a75095c74c71173d3b2839853aa3dfc2f8d67b27b2f64be528dbd269dd905656666f731289e5cf830da0d4a6a7957

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/308-170-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/308-176-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/1232-5-0x00000000010F0000-0x0000000001773000-memory.dmp

Filesize
6.5MB

Download
memory/1232-1-0x0000000077890000-0x0000000077892000-memory.dmp

Filesize
8KB

Download
memory/1232-6-0x00000000010F0000-0x0000000001773000-memory.dmp

Filesize
6.5MB

Download
memory/1232-26-0x00000000010F0000-0x0000000001773000-memory.dmp

Filesize
6.5MB

Download
memory/1232-4-0x00000000010F0000-0x0000000001773000-memory.dmp

Filesize
6.5MB

Download
memory/1232-2-0x00000000010F0000-0x0000000001773000-memory.dmp

Filesize
6.5MB

Download
memory/1232-3-0x00000000010F0000-0x0000000001773000-memory.dmp

Filesize
6.5MB

Download
memory/1232-0-0x00000000010F0000-0x0000000001773000-memory.dmp

Filesize
6.5MB

Download
memory/1348-226-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/1348-220-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/1992-206-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/1992-195-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2108-318-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2108-324-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2112-275-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2112-269-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2120-74-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2120-73-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2120-75-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2120-76-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2120-77-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2120-79-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2244-54-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2244-52-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2244-50-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2244-51-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2244-49-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2244-48-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2388-301-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2528-33-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2528-34-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2528-30-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2528-31-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2528-32-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2528-45-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2528-141-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2604-128-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2604-126-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2604-122-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2604-125-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2604-123-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2604-124-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2704-250-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2808-148-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2808-152-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2808-149-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2808-150-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2808-147-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2808-146-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2900-104-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2900-101-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2900-100-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2900-102-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2900-99-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download
memory/2900-98-0x0000000000130000-0x00000000007B3000-memory.dmp

Filesize
6.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads