Share via

Microsoft\Windows\PowerShell\StartupProfileData-Interactive- while running what process this will run

Anonymous
2023-10-01T01:59:02+00:00

i got an alert :Suspicious Interactive PowerShell as SYSTEM
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe-image
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive -this was the target image.

Windows for home | Windows 11 | Microsoft Store

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-10-29T23:49:40+00:00

    Hey bro! I'm not an advisor or anything like that, just found this thread with the same issue as you. It's possible you (and I) are infected with the StripedFly malware, which was just discovered by Kaspersky labs. From the article ( https://www.bleepingcomputer.com/news/security/stripedfly-malware-framework-infects-1-million-windows-linux-hosts/ ) Obligatory non windows site warning (not that it matters if your DNS is spoofed). I have the file on my system too. Hoping someone at microsoft gets on this.

    """

    For persistence on Windows systems, StripedFly adjusts its behavior based on the level of privileges it runs on and the presence of PowerShell.

    Without PowerShell, it generates a hidden file in the %APPDATA% directory. In cases where PowerShell is available, it executes scripts for creating scheduled tasks or modifying Windows Registry keys.

    """

    Edit: The file on my computer was in the C:\Users[my user]\AppData\Local\Microsoft\Windows\PowerShell dirrectory. There were 3 files:
    ModuleAnalysisCache

    StartupProfileData-Interactive
    StartupProfileData-NonInteractive

    Was this answer helpful?

    6 people found this answer helpful.
    0 comments
  2. Anonymous
    2023-10-01T06:23:18+00:00

    Hey there!

    My name is Ravi, an independent advisor and expert user. I am happy to help you. :)

    I understand how concerning it can be to get such an alert. Let's troubleshoot it together.

    >> Run an SFC Scan.

    You can run SFC Scan by following these steps:

    1). On your keyboard, press the Windows logo key and R key at the same time to invoke the Run box.

    2). Type cmd and press Shift+Ctrl+Enter together on your keyboard to open Command Prompt in the administrator mode.

    Note: Do NOT click OK or just press the Enter key as that won’t allow you to open Command Prompt in the administrator mode.

    3). Type sfc /scannow (or copy-paste) and press Enter. Then wait for the verification is 100% complete.

    4). Restart your computer

    >>Run a malware scan.

    If you have an anti-virus, please run a full system scan to check if there's a suspicious activity or app.

    >> Delete any third-party app that you don't use.

    >> Disable and re-enable Windows PowerShell

    You can different methods to disable PowerShell here: https://www.groovypost.com/howto/disable-powers...

    Disclaimer - There is a non-Microsoft website. The page appears to be providing accurate, safe information. Watch out for ads on the site that may advertise products frequently classified as PUP (Potentially Unwanted Products). Thoroughly research any product advertised on the site before downloading and installing it.

    The above link is in English; you need to use Translator to see it in your language.

    Feel free to get in touch again if you have any additional questions.

    Cheers,

    Ravi

    Was this answer helpful?

    0 comments