Overview

overview

10

Static

static

3

weave.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    15s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22/08/2024, 09:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    weave.exe

  • Size

    15.4MB

  • MD5

    8232aa26c35a5c0e65e5de1c26dda123

  • SHA1

    3d6b0e100f43dc1a4b8ce4c78cbb03169f5001b1

  • SHA256

    5abfd9a755941262e7c68d0d64a15260810cd9ec73244287c957c316c587a3e1

  • SHA512

    8d289e9c1dc1c184ba50a41363a4eba4f5ed89988cac80353af48325e6cfa465450f0f2c89cf7b2b7b864ff30f4770bae3ad85513479a6a3455038e8f8dc5b63

  • SSDEEP

    393216:mqnsH7L9RseITuHE/8zeSL5rFpgRwK1RGWb1j6l:m10dTIZzeSL5x6SK1Rt

Score
10/10
defense_evasiondiscoveryevasionexecutionpersistencethemidatrojan

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Power Settings 1 TTPs 5 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:640
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:480
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
          PID:696
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
          1⤵
            PID:1000
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:560
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
              1⤵
                PID:880
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                1⤵
                  PID:1064
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                  1⤵
                    PID:1080
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                    1⤵
                      PID:1192
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                      1⤵
                      • Drops file in System32 directory
                      PID:1232
                      • C:\Program Files\Microsoft\Edge\updater.exe
                        "C:\Program Files\Microsoft\Edge\updater.exe"
                        2⤵
                        • Executes dropped EXE
                        PID:1440
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
                      1⤵
                        PID:1272
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                        1⤵
                          PID:1324
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                          1⤵
                            PID:1372
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                            1⤵
                            • Indicator Removal: Clear Windows Event Logs
                            PID:1456
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                            1⤵
                              PID:1464
                              • C:\Windows\system32\sihost.exe
                                sihost.exe
                                2⤵
                                  PID:2056
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                1⤵
                                  PID:1532
                                • C:\Windows\System32\svchost.exe
                                  C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                  1⤵
                                    PID:1552
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                    1⤵
                                      PID:1704
                                    • C:\Windows\System32\svchost.exe
                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                      1⤵
                                        PID:1744
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k NetworkService -p
                                        1⤵
                                          PID:1776
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                          1⤵
                                            PID:1792
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                            1⤵
                                              PID:1828
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                              1⤵
                                                PID:1836
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                1⤵
                                                  PID:1856
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                  1⤵
                                                    PID:1984
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                    1⤵
                                                      PID:2024
                                                    • C:\Windows\System32\spoolsv.exe
                                                      C:\Windows\System32\spoolsv.exe
                                                      1⤵
                                                        PID:2128
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                        1⤵
                                                          PID:2212
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                          1⤵
                                                            PID:2408
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                            1⤵
                                                              PID:2440
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                              1⤵
                                                                PID:2448
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k NetworkService -p
                                                                1⤵
                                                                  PID:2520
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                  1⤵
                                                                    PID:2588
                                                                  • C:\Windows\sysmon.exe
                                                                    C:\Windows\sysmon.exe
                                                                    1⤵
                                                                      PID:2608
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                      1⤵
                                                                        PID:2640
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                        1⤵
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2648
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                        1⤵
                                                                          PID:2656
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                          1⤵
                                                                            PID:2604
                                                                          • C:\Windows\system32\wbem\unsecapp.exe
                                                                            C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                            1⤵
                                                                              PID:1088
                                                                            • C:\Windows\Explorer.EXE
                                                                              C:\Windows\Explorer.EXE
                                                                              1⤵
                                                                                PID:3280
                                                                                • C:\Users\Admin\AppData\Local\Temp\weave.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\weave.exe"
                                                                                  2⤵
                                                                                  • Drops file in System32 directory
                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  • Suspicious use of WriteProcessMemory
                                                                                  PID:3004
                                                                                  • C:\Users\Admin\AppData\Local\Temp\cli_gui.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\cli_gui.exe"
                                                                                    3⤵
                                                                                    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                    • Checks BIOS information in registry
                                                                                    • Executes dropped EXE
                                                                                    • Checks whether UAC is enabled
                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:4944
                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      4⤵
                                                                                        PID:4972
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32'" > NUL 2>&1
                                                                                        4⤵
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:4632
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          powershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32'"
                                                                                          5⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:3884
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c cls
                                                                                        4⤵
                                                                                          PID:3732
                                                                                      • C:\Windows\system32\updater.exe
                                                                                        "C:\Windows\system32\updater.exe"
                                                                                        3⤵
                                                                                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of SetThreadContext
                                                                                        • Drops file in Program Files directory
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:4656
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                                                                                      2⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1596
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
                                                                                      2⤵
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:960
                                                                                      • C:\Windows\System32\sc.exe
                                                                                        sc stop UsoSvc
                                                                                        3⤵
                                                                                        • Launches sc.exe
                                                                                        PID:2964
                                                                                      • C:\Windows\System32\sc.exe
                                                                                        sc stop WaaSMedicSvc
                                                                                        3⤵
                                                                                        • Launches sc.exe
                                                                                        PID:1228
                                                                                      • C:\Windows\System32\sc.exe
                                                                                        sc stop wuauserv
                                                                                        3⤵
                                                                                        • Launches sc.exe
                                                                                        PID:3044
                                                                                      • C:\Windows\System32\sc.exe
                                                                                        sc stop bits
                                                                                        3⤵
                                                                                        • Launches sc.exe
                                                                                        PID:5020
                                                                                      • C:\Windows\System32\sc.exe
                                                                                        sc stop dosvc
                                                                                        3⤵
                                                                                        • Launches sc.exe
                                                                                        PID:1648
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                                                                                      2⤵
                                                                                      • Power Settings
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:2248
                                                                                      • C:\Windows\System32\powercfg.exe
                                                                                        powercfg /x -hibernate-timeout-ac 0
                                                                                        3⤵
                                                                                        • Power Settings
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1144
                                                                                      • C:\Windows\System32\powercfg.exe
                                                                                        powercfg /x -hibernate-timeout-dc 0
                                                                                        3⤵
                                                                                        • Power Settings
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:872
                                                                                      • C:\Windows\System32\powercfg.exe
                                                                                        powercfg /x -standby-timeout-ac 0
                                                                                        3⤵
                                                                                        • Power Settings
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2552
                                                                                      • C:\Windows\System32\powercfg.exe
                                                                                        powercfg /x -standby-timeout-dc 0
                                                                                        3⤵
                                                                                        • Power Settings
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:4048
                                                                                    • C:\Windows\System32\dialer.exe
                                                                                      C:\Windows\System32\dialer.exe
                                                                                      2⤵
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:4480
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lfvbfbo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MicrosoftEdge' /tr '''C:\Program Files\Microsoft\Edge\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Microsoft\Edge\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MicrosoftEdge' -User 'System' -RunLevel 'Highest' -Force; }
                                                                                      2⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1268
                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        3⤵
                                                                                          PID:3048
                                                                                      • C:\Windows\System32\schtasks.exe
                                                                                        C:\Windows\System32\schtasks.exe /run /tn "MicrosoftEdge"
                                                                                        2⤵
                                                                                          PID:4668
                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            3⤵
                                                                                              PID:2468
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                          1⤵
                                                                                            PID:3408
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                            1⤵
                                                                                              PID:3444
                                                                                            • C:\Windows\System32\RuntimeBroker.exe
                                                                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                              1⤵
                                                                                                PID:3808
                                                                                              • C:\Windows\System32\RuntimeBroker.exe
                                                                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                1⤵
                                                                                                  PID:3872
                                                                                                • C:\Windows\system32\DllHost.exe
                                                                                                  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                  1⤵
                                                                                                    PID:3916
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
                                                                                                    1⤵
                                                                                                      PID:3936
                                                                                                    • C:\Windows\system32\DllHost.exe
                                                                                                      C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
                                                                                                      1⤵
                                                                                                        PID:4140
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
                                                                                                        1⤵
                                                                                                          PID:4364
                                                                                                        • C:\Windows\system32\DllHost.exe
                                                                                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                          1⤵
                                                                                                            PID:4348
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                            1⤵
                                                                                                              PID:4524
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                                              1⤵
                                                                                                                PID:2256
                                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                1⤵
                                                                                                                  PID:4328
                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                  1⤵
                                                                                                                    PID:2044
                                                                                                                  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                    1⤵
                                                                                                                      PID:4948
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                      1⤵
                                                                                                                        PID:2304
                                                                                                                      • C:\Windows\system32\SppExtComObj.exe
                                                                                                                        C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                        1⤵
                                                                                                                          PID:1592
                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                          C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                          1⤵
                                                                                                                            PID:1684
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
                                                                                                                            1⤵
                                                                                                                              PID:3676
                                                                                                                            • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                              1⤵
                                                                                                                                PID:1852

                                                                                                                              Network

                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                              Replay Monitor

                                                                                                                              Loading Replay Monitor...

                                                                                                                              Downloads

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                                Filesize

                                                                                                                                2KB

                                                                                                                                MD5

                                                                                                                                627073ee3ca9676911bee35548eff2b8

                                                                                                                                SHA1

                                                                                                                                4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                                                                                                                SHA256

                                                                                                                                85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                                                                                                                SHA512

                                                                                                                                3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                                                                                                                Download Submit

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                Filesize

                                                                                                                                944B

                                                                                                                                MD5

                                                                                                                                1a9fa92a4f2e2ec9e244d43a6a4f8fb9

                                                                                                                                SHA1

                                                                                                                                9910190edfaccece1dfcc1d92e357772f5dae8f7

                                                                                                                                SHA256

                                                                                                                                0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

                                                                                                                                SHA512

                                                                                                                                5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

                                                                                                                                Download Submit

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                Filesize

                                                                                                                                944B

                                                                                                                                MD5

                                                                                                                                2e0391d00f5bfbc34be70790f14d5edf

                                                                                                                                SHA1

                                                                                                                                fcb04d8599c23967de4f154a101be480933ab0d0

                                                                                                                                SHA256

                                                                                                                                1c0c0c86d7c736fc9fb148ac7cd6e67565dc5b76fa116ae3b000a79e91855136

                                                                                                                                SHA512

                                                                                                                                231b9cc6efb928f0748cef04f287d9204c4f7d2eb4bc27f345e9a1afc6d0675057978ca44d1a95334ee2380709aa6dbe74015fedff8f17611a64efcfb9f64d2a

                                                                                                                                Download Submit

                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g0cidpv2.pw5.ps1
                                                                                                                                Filesize

                                                                                                                                60B

                                                                                                                                MD5

                                                                                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                SHA1

                                                                                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                SHA256

                                                                                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                SHA512

                                                                                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                Download Submit

                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\cli_gui.exe
                                                                                                                                Filesize

                                                                                                                                2.9MB

                                                                                                                                MD5

                                                                                                                                a11c89310149164b7cc9782fb631459b

                                                                                                                                SHA1

                                                                                                                                bc6500c18cb1e810016046baaf627328dcce1916

                                                                                                                                SHA256

                                                                                                                                014d7046f92d512642247df3d442144716451f2e638b60c4685aba9e0552e154

                                                                                                                                SHA512

                                                                                                                                bd41a12a388a08bf9e3fdf1718730f9822433cfb694bd192f6209cc0e9e84784c6598fd7bf5412b1ca873e08b1e62048cf472c9145a602b80ecb50b915e29497

                                                                                                                                Download Submit

                                                                                                                              • C:\Windows\System32\updater.exe
                                                                                                                                Filesize

                                                                                                                                5.7MB

                                                                                                                                MD5

                                                                                                                                8cd62e3ece85c4c3e9f6f7c816256adf

                                                                                                                                SHA1

                                                                                                                                9712769be3f755c5ecbe68d38800a3a8ecdaf324

                                                                                                                                SHA256

                                                                                                                                39ebcdbb6993787be2ed9d2b6668b9ee2707ca483a66b51d1302bfc610ba021b

                                                                                                                                SHA512

                                                                                                                                a0aa9f0e6542c526fc18d48ab945d8be3245900381c9640f6e122a633a15dd9a9364bacd830fbc588a926ebef8240300c1fbf4211eae600cff8b7e2c63613501

                                                                                                                                Download Submit

                                                                                                                              • memory/480-72-0x00007FF9C99F0000-0x00007FF9C9A00000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/480-71-0x000001ADA2B70000-0x000001ADA2B97000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/560-78-0x00000173C21B0000-0x00000173C21D7000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/560-79-0x00007FF9C99F0000-0x00007FF9C9A00000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/640-63-0x000002479B0F0000-0x000002479B117000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/640-65-0x00007FF9C99F0000-0x00007FF9C9A00000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/640-61-0x000002479B0C0000-0x000002479B0E1000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                132KB

                                                                                                                                Download

                                                                                                                              • memory/696-67-0x00007FF9C99F0000-0x00007FF9C9A00000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/696-64-0x0000017F4C110000-0x0000017F4C137000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/880-83-0x00007FF9C99F0000-0x00007FF9C9A00000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/880-82-0x000002B897A60000-0x000002B897A87000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/1000-74-0x0000013AFC890000-0x0000013AFC8B7000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/1000-75-0x00007FF9C99F0000-0x00007FF9C9A00000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/1064-87-0x0000027436140000-0x0000027436167000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/1064-88-0x00007FF9C99F0000-0x00007FF9C9A00000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/1080-90-0x0000027F1BF40000-0x0000027F1BF67000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/1080-91-0x00007FF9C99F0000-0x00007FF9C9A00000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/1192-106-0x0000025B97460000-0x0000025B97487000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/1192-107-0x00007FF9C99F0000-0x00007FF9C9A00000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/1232-97-0x00000170075A0000-0x00000170075C7000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/1232-98-0x00007FF9C99F0000-0x00007FF9C9A00000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/1272-100-0x000002ACD39B0000-0x000002ACD39D7000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/1272-101-0x00007FF9C99F0000-0x00007FF9C9A00000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/1324-103-0x00000240B44F0000-0x00000240B4517000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                156KB

                                                                                                                                Download

                                                                                                                              • memory/1324-104-0x00007FF9C99F0000-0x00007FF9C9A00000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                                Download

                                                                                                                              • memory/3004-1-0x0000000000400000-0x00000000015C1000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                17.8MB

                                                                                                                                Download

                                                                                                                              • memory/3004-22-0x0000000000400000-0x00000000015C1000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                17.8MB

                                                                                                                                Download

                                                                                                                              • memory/3004-0-0x0000000000400000-0x00000000015C1000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                17.8MB

                                                                                                                                Download

                                                                                                                              • memory/3884-29-0x000002176DFA0000-0x000002176DFC2000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                136KB

                                                                                                                                Download

                                                                                                                              • memory/4480-51-0x00007FFA07DA0000-0x00007FFA07E5D000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                756KB

                                                                                                                                Download

                                                                                                                              • memory/4480-50-0x00007FFA09960000-0x00007FFA09B69000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                                Download

                                                                                                                              • memory/4656-48-0x00007FF74CB50000-0x00007FF74D115000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                5.8MB

                                                                                                                                Download

                                                                                                                              • memory/4944-18-0x00007FF66B020000-0x00007FF66B85E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                8.2MB

                                                                                                                                Download

                                                                                                                              • memory/4944-23-0x00007FFA09A07000-0x00007FFA09A09000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                8KB

                                                                                                                                Download

                                                                                                                              • memory/4944-35-0x00007FF66B020000-0x00007FF66B85E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                8.2MB

                                                                                                                                Download