Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
26s -
max time network
29s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
27/09/2024, 18:38
Static task
static1
Behavioral task
behavioral1
Sample
weave.exe
Resource
win11-20240802-en
General
-
Target
weave.exe
-
Size
18.2MB
-
MD5
f293ebde82be4a4c20f5b58a05384108
-
SHA1
2240637695575a69e8918a9e9083d8f6d6a25356
-
SHA256
6ee011dc3dc0568d97acddc89bfbae917c42a811a99cd851e17bae209e9e7506
-
SHA512
a1a222e1203baad3141f2fbf3fca6f511842556c8175cdc6ea735e494aa9e923ef53d906c79bf53af1a1ec1e113cd70e5f06fb6068faf89912726e520e592224
-
SSDEEP
393216:duxU/9YlNS1YOmAP0ybcsOCdha3hgw7KQs6Qg5H2Ym8IBX3Iv:dP/9YzC3csZa3hgRgJIBXE
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs
description pid Process procid_target PID 4924 created 3284 4924 updater.exe 53 PID 4924 created 3284 4924 updater.exe 53 PID 4924 created 3284 4924 updater.exe 53 PID 4924 created 3284 4924 updater.exe 53 PID 4924 created 3284 4924 updater.exe 53 PID 4924 created 3284 4924 updater.exe 53 PID 1916 created 3284 1916 updater.exe 53 PID 1916 created 3284 1916 updater.exe 53 PID 1916 created 3284 1916 updater.exe 53 PID 1916 created 3284 1916 updater.exe 53 PID 1916 created 3284 1916 updater.exe 53 PID 1916 created 3284 1916 updater.exe 53 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cli_gui.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3208 powershell.exe 2544 powershell.exe 2712 powershell.exe 2480 powershell.exe 1512 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cli_gui.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cli_gui.exe -
Executes dropped EXE 3 IoCs
pid Process 1804 cli_gui.exe 4924 updater.exe 1916 updater.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe -
resource yara_rule behavioral1/files/0x000200000002ab4e-9.dat themida behavioral1/memory/1804-20-0x00007FF6170F0000-0x00007FF617929000-memory.dmp themida behavioral1/memory/1804-37-0x00007FF6170F0000-0x00007FF617929000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cli_gui.exe -
Power Settings 1 TTPs 10 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2008 powercfg.exe 2812 powercfg.exe 3512 powercfg.exe 3336 powercfg.exe 5112 powercfg.exe 2084 powercfg.exe 3944 cmd.exe 4104 powercfg.exe 3124 powercfg.exe 3464 cmd.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\syscfg.cfg weave.exe File created C:\Windows\system32\updater.exe weave.exe File opened for modification C:\Windows\System32\Tasks\MicrosoftEdge svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1204 weave.exe 1804 cli_gui.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4924 set thread context of 2912 4924 updater.exe 96 PID 1916 set thread context of 2468 1916 updater.exe 118 PID 1916 set thread context of 1788 1916 updater.exe 125 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Microsoft\Edge\updater.exe updater.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1568 sc.exe 392 sc.exe 1344 sc.exe 1620 sc.exe 760 sc.exe 4756 sc.exe 4652 sc.exe 1360 sc.exe 4848 sc.exe 1928 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language weave.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1204 weave.exe 1204 weave.exe 1204 weave.exe 1204 weave.exe 1204 weave.exe 1204 weave.exe 1204 weave.exe 1204 weave.exe 3208 powershell.exe 3208 powershell.exe 4924 updater.exe 4924 updater.exe 2544 powershell.exe 2544 powershell.exe 4924 updater.exe 4924 updater.exe 4924 updater.exe 4924 updater.exe 4924 updater.exe 4924 updater.exe 4924 updater.exe 4924 updater.exe 2912 dialer.exe 2912 dialer.exe 2480 powershell.exe 2480 powershell.exe 2912 dialer.exe 2912 dialer.exe 2480 powershell.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 4924 updater.exe 4924 updater.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe 2912 dialer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3208 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 2912 dialer.exe Token: SeShutdownPrivilege 3512 powercfg.exe Token: SeCreatePagefilePrivilege 3512 powercfg.exe Token: SeDebugPrivilege 2480 powershell.exe Token: SeShutdownPrivilege 4104 powercfg.exe Token: SeCreatePagefilePrivilege 4104 powercfg.exe Token: SeShutdownPrivilege 3336 powercfg.exe Token: SeCreatePagefilePrivilege 3336 powercfg.exe Token: SeShutdownPrivilege 3124 powercfg.exe Token: SeCreatePagefilePrivilege 3124 powercfg.exe Token: SeIncreaseQuotaPrivilege 2480 powershell.exe Token: SeSecurityPrivilege 2480 powershell.exe Token: SeTakeOwnershipPrivilege 2480 powershell.exe Token: SeLoadDriverPrivilege 2480 powershell.exe Token: SeSystemProfilePrivilege 2480 powershell.exe Token: SeSystemtimePrivilege 2480 powershell.exe Token: SeProfSingleProcessPrivilege 2480 powershell.exe Token: SeIncBasePriorityPrivilege 2480 powershell.exe Token: SeCreatePagefilePrivilege 2480 powershell.exe Token: SeBackupPrivilege 2480 powershell.exe Token: SeRestorePrivilege 2480 powershell.exe Token: SeShutdownPrivilege 2480 powershell.exe Token: SeDebugPrivilege 2480 powershell.exe Token: SeSystemEnvironmentPrivilege 2480 powershell.exe Token: SeRemoteShutdownPrivilege 2480 powershell.exe Token: SeUndockPrivilege 2480 powershell.exe Token: SeManageVolumePrivilege 2480 powershell.exe Token: 33 2480 powershell.exe Token: 34 2480 powershell.exe Token: 35 2480 powershell.exe Token: 36 2480 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2740 svchost.exe Token: SeIncreaseQuotaPrivilege 2740 svchost.exe Token: SeSecurityPrivilege 2740 svchost.exe Token: SeTakeOwnershipPrivilege 2740 svchost.exe Token: SeLoadDriverPrivilege 2740 svchost.exe Token: SeSystemtimePrivilege 2740 svchost.exe Token: SeBackupPrivilege 2740 svchost.exe Token: SeRestorePrivilege 2740 svchost.exe Token: SeShutdownPrivilege 2740 svchost.exe Token: SeSystemEnvironmentPrivilege 2740 svchost.exe Token: SeUndockPrivilege 2740 svchost.exe Token: SeManageVolumePrivilege 2740 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2740 svchost.exe Token: SeIncreaseQuotaPrivilege 2740 svchost.exe Token: SeSecurityPrivilege 2740 svchost.exe Token: SeTakeOwnershipPrivilege 2740 svchost.exe Token: SeLoadDriverPrivilege 2740 svchost.exe Token: SeSystemtimePrivilege 2740 svchost.exe Token: SeBackupPrivilege 2740 svchost.exe Token: SeRestorePrivilege 2740 svchost.exe Token: SeShutdownPrivilege 2740 svchost.exe Token: SeSystemEnvironmentPrivilege 2740 svchost.exe Token: SeUndockPrivilege 2740 svchost.exe Token: SeManageVolumePrivilege 2740 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2740 svchost.exe Token: SeIncreaseQuotaPrivilege 2740 svchost.exe Token: SeSecurityPrivilege 2740 svchost.exe Token: SeTakeOwnershipPrivilege 2740 svchost.exe Token: SeLoadDriverPrivilege 2740 svchost.exe Token: SeSystemtimePrivilege 2740 svchost.exe Token: SeBackupPrivilege 2740 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1204 weave.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1204 wrote to memory of 1804 1204 weave.exe 79 PID 1204 wrote to memory of 1804 1204 weave.exe 79 PID 1204 wrote to memory of 4924 1204 weave.exe 81 PID 1204 wrote to memory of 4924 1204 weave.exe 81 PID 1804 wrote to memory of 3840 1804 cli_gui.exe 82 PID 1804 wrote to memory of 3840 1804 cli_gui.exe 82 PID 3840 wrote to memory of 3208 3840 cmd.exe 83 PID 3840 wrote to memory of 3208 3840 cmd.exe 83 PID 1804 wrote to memory of 2788 1804 cli_gui.exe 84 PID 1804 wrote to memory of 2788 1804 cli_gui.exe 84 PID 2708 wrote to memory of 1568 2708 cmd.exe 89 PID 2708 wrote to memory of 1568 2708 cmd.exe 89 PID 2708 wrote to memory of 4756 2708 cmd.exe 90 PID 2708 wrote to memory of 4756 2708 cmd.exe 90 PID 2708 wrote to memory of 4652 2708 cmd.exe 91 PID 2708 wrote to memory of 4652 2708 cmd.exe 91 PID 2708 wrote to memory of 392 2708 cmd.exe 92 PID 2708 wrote to memory of 392 2708 cmd.exe 92 PID 2708 wrote to memory of 1360 2708 cmd.exe 93 PID 2708 wrote to memory of 1360 2708 cmd.exe 93 PID 4924 wrote to memory of 2912 4924 updater.exe 96 PID 3944 wrote to memory of 3512 3944 cmd.exe 99 PID 3944 wrote to memory of 3512 3944 cmd.exe 99 PID 3944 wrote to memory of 4104 3944 cmd.exe 100 PID 3944 wrote to memory of 4104 3944 cmd.exe 100 PID 3944 wrote to memory of 3336 3944 cmd.exe 101 PID 3944 wrote to memory of 3336 3944 cmd.exe 101 PID 3944 wrote to memory of 3124 3944 cmd.exe 102 PID 3944 wrote to memory of 3124 3944 cmd.exe 102 PID 2912 wrote to memory of 636 2912 dialer.exe 5 PID 2912 wrote to memory of 696 2912 dialer.exe 7 PID 2912 wrote to memory of 984 2912 dialer.exe 12 PID 2912 wrote to memory of 428 2912 dialer.exe 13 PID 2912 wrote to memory of 560 2912 dialer.exe 14 PID 2912 wrote to memory of 1004 2912 dialer.exe 15 PID 2912 wrote to memory of 1084 2912 dialer.exe 16 PID 2912 wrote to memory of 1176 2912 dialer.exe 18 PID 2912 wrote to memory of 1192 2912 dialer.exe 19 PID 2912 wrote to memory of 1260 2912 dialer.exe 20 PID 2912 wrote to memory of 1276 2912 dialer.exe 21 PID 2912 wrote to memory of 1316 2912 dialer.exe 22 PID 2912 wrote to memory of 1384 2912 dialer.exe 23 PID 2912 wrote to memory of 1408 2912 dialer.exe 24 PID 2912 wrote to memory of 1492 2912 dialer.exe 25 PID 2912 wrote to memory of 1528 2912 dialer.exe 26 PID 2912 wrote to memory of 1544 2912 dialer.exe 27 PID 2912 wrote to memory of 1708 2912 dialer.exe 28 PID 2912 wrote to memory of 1760 2912 dialer.exe 29 PID 2912 wrote to memory of 1792 2912 dialer.exe 30 PID 2912 wrote to memory of 1812 2912 dialer.exe 31 PID 2912 wrote to memory of 1848 2912 dialer.exe 32 PID 2912 wrote to memory of 1856 2912 dialer.exe 33 PID 2912 wrote to memory of 1880 2912 dialer.exe 34 PID 2912 wrote to memory of 1968 2912 dialer.exe 35 PID 2912 wrote to memory of 2032 2912 dialer.exe 36 PID 2912 wrote to memory of 1980 2912 dialer.exe 37 PID 2912 wrote to memory of 2132 2912 dialer.exe 39 PID 2912 wrote to memory of 2436 2912 dialer.exe 40 PID 2912 wrote to memory of 2548 2912 dialer.exe 41 PID 2912 wrote to memory of 2556 2912 dialer.exe 42 PID 2912 wrote to memory of 2620 2912 dialer.exe 43 PID 2912 wrote to memory of 2684 2912 dialer.exe 44 PID 2912 wrote to memory of 2700 2912 dialer.exe 45 PID 2912 wrote to memory of 2720 2912 dialer.exe 46 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:636
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:428
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:560
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1004
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1176 -
C:\Program Files\Microsoft\Edge\updater.exe"C:\Program Files\Microsoft\Edge\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1916
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1192
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1260
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1384
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1492
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2840
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1528
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1708
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1792
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1848
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1856
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1880
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1968
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2032
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1980
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2132
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2436
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2548
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2556
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2620
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2684
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2700
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2720
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2860
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3096
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3284
-
C:\Users\Admin\AppData\Local\Temp\weave.exe"C:\Users\Admin\AppData\Local\Temp\weave.exe"2⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\cli_gui.exe"C:\Users\Admin\AppData\Local\Temp\cli_gui.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32'" > NUL 2>&14⤵
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32'"5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:2788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:3580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:3500
-
-
-
C:\Windows\system32\updater.exe"C:\Windows\system32\updater.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4924
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1568
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4756
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4652
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:392
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1360
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lfvbfbo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MicrosoftEdge' /tr '''C:\Program Files\Microsoft\Edge\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Microsoft\Edge\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MicrosoftEdge' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3536
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "MicrosoftEdge"2⤵PID:2880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1584
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2712 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2932
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2292
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3396
-
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4848
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1928
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1344
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1620
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:760
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:3464 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4448
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Power Settings
PID:5112
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Power Settings
PID:2084
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Power Settings
PID:2008
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Power Settings
PID:2812
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:2468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lfvbfbo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MicrosoftEdge' /tr '''C:\Program Files\Microsoft\Edge\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Microsoft\Edge\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MicrosoftEdge' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1512 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2680
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:1788
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:5116
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3432
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3492
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3932
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:4040
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:4232
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:4300
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:3888
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:2488
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:4452
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:2128
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3696
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:4872
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Defense Evasion
Impair Defenses
1Indicator Removal
1Clear Windows Event Logs
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
Filesize
944B
MD5050567a067ffea4eb40fe2eefebdc1ee
SHA16e1fb2c7a7976e0724c532449e97722787a00fec
SHA2563952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.9MB
MD58f21c4390128917bf5af5c2ee3fbc592
SHA1733cc166b3161772755edf69314003a4a5e87953
SHA25678b628830cd84013ba1bdab6c5f4a1529f828119157a77d212d86e82f35a817b
SHA512c5116b27a4f722168c934319cd804a0390490be8341f27d39337877ce1c14e72c3dcdf725b982961c14de0a3da96362f2a9d4f4c486b7658c87c4801155cb015
-
Filesize
5.7MB
MD58cd62e3ece85c4c3e9f6f7c816256adf
SHA19712769be3f755c5ecbe68d38800a3a8ecdaf324
SHA25639ebcdbb6993787be2ed9d2b6668b9ee2707ca483a66b51d1302bfc610ba021b
SHA512a0aa9f0e6542c526fc18d48ab945d8be3245900381c9640f6e122a633a15dd9a9364bacd830fbc588a926ebef8240300c1fbf4211eae600cff8b7e2c63613501
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize4KB
MD5dbbd2d4458d7e8094846420da595dfc3
SHA1267cb47b904f14a519d2bd73abfdb30e1a06e1a6
SHA256e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4
SHA512480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5f2dd68ab8e611f0143c6ad176f223ae9
SHA130f580175773f251a9572fe757de6eaef6844abc
SHA256f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7
SHA512f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04