Analysis

  • max time kernel
    97s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2025, 14:57

General

  • Target

    wininit.exe

  • Size

    259KB

  • MD5

    40423a099938afe0b1f39a1317049914

  • SHA1

    f54513aa10b40f8f4eb2f1df73680bd34750c9b3

  • SHA256

    fdabe139cac0f7474c8d1ab0b0436e56c17a765a8b80ba4651d23d3e5188868e

  • SHA512

    84745d42d2c309f4c2b992a77ea65ab3fb8fa89aaa749c7404db1d6fc1d5439a91068397753be26e887b1a73ec852a57499e9f2896bcf6c67d67d337d0a7ff77

  • SSDEEP

    6144:O3J/lKaBuZxpbGn1PPT4WZuOusQY1H9X7iGZeSE:gKaIrRfOuRYtlyS

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 33 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 33 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 33 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wininit.exe
    "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3456
    • C:\Users\Admin\AppData\Local\Temp\wininit.exe
      "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3936
      • C:\Users\Admin\AppData\Local\Temp\wininit.exe
        "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3296
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3372
        • C:\Users\Admin\AppData\Local\Temp\wininit.exe
          "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2684
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2068
          • C:\Users\Admin\AppData\Local\Temp\wininit.exe
            "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2016
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4428
            • C:\Users\Admin\AppData\Local\Temp\wininit.exe
              "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4524
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:5012
              • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1056
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2280
                • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                  "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2308
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:208
                  • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                    "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:232
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                      10⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2876
                    • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                      "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2784
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                        11⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2360
                      • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                        "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1408
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                          12⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4312
                        • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                          "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                          12⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4992
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                            13⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2792
                          • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                            "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                            13⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2096
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                              14⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1252
                            • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                              "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                              14⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:3176
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                15⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4480
                              • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                15⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:5068
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                  16⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2532
                                • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                  "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                  16⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  PID:4060
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                    17⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2068
                                  • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                    "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                    17⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:5096
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                      18⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3908
                                    • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                      "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                      18⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2104
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                        19⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4252
                                      • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                        "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                        19⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:388
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                          20⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3000
                                        • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                          "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                          20⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3456
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                            21⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3156
                                          • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                            "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                            21⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:228
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                              22⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2436
                                            • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                              "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                              22⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:5096
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                23⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1048
                                              • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                23⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:4956
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                  24⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2164
                                                • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                  24⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2948
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                    25⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:4492
                                                  • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                    25⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:4744
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                      26⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3124
                                                    • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                      26⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2708
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                        27⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4028
                                                      • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                        27⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5032
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                          28⤵
                                                          • Command and Scripting Interpreter: PowerShell
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2568
                                                        • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                          28⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1848
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                            29⤵
                                                            • Command and Scripting Interpreter: PowerShell
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4992
                                                          • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                            29⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2724
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                              30⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:3036
                                                            • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                              30⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2836
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                31⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:5044
                                                              • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                31⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:4976
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                  32⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1456
                                                                • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                  32⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:4856
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                    33⤵
                                                                    • Command and Scripting Interpreter: PowerShell
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:4948
                                                                  • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                    33⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    PID:4188
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                      34⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      PID:1524
                                                                    • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                      34⤵
                                                                      • Executes dropped EXE
                                                                      PID:2816
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\MountAssert.docx" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3120

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

          Filesize

          654B

          MD5

          2ff39f6c7249774be85fd60a8f9a245e

          SHA1

          684ff36b31aedc1e587c8496c02722c6698c1c4e

          SHA256

          e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

          SHA512

          1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          ce4540390cc4841c8973eb5a3e9f4f7d

          SHA1

          2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

          SHA256

          e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

          SHA512

          2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          51cf8df21f531e31f7740b4ec487a48a

          SHA1

          40c6a73b22d71625a62df109aefc92a5f9b9d13e

          SHA256

          263d9b98a897d1d66da4832af640c4bf5ab0ae91125ba12243453dfe714f3d0d

          SHA512

          57a85461f6ea96b26a8b53d3a9cca18543e4ddbe996e8f412fc4cf7cf6e9ffe558c96da7b322a42f18bef62020e65aee119bed6102f75e2f605df09b02ec6368

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          be67063c62a242565760a02a642a9f02

          SHA1

          d1043a892b44d6676f71b568f578fff947266a19

          SHA256

          56f158298dc5f781d6636a0b15d040f9cffb1d46cd11079aa40a26b662217f48

          SHA512

          90d2cbd882ff8043412ad25e74df0cf6b71d6f3fbdfa6f1efa0efc8eed86a925606c7d2e967f112a34d3f0e04f01a396898508571400dcf7e6fd69e78f406638

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          fd98baf5a9c30d41317663898985593b

          SHA1

          ea300b99f723d2429d75a6c40e0838bf60f17aad

          SHA256

          9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

          SHA512

          bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          b7e0e67385d5dab240ab2f7c945f3443

          SHA1

          cb4b238a0757cc85115347f193946cdbfc089f4e

          SHA256

          8e1f6b184613f6618a22a3e3221276856dd07bc782423c1a208862c524bbb241

          SHA512

          ed243d9ef73e38a226cf2711a72cfb877cf90f0ee5e88a1db57747b76d9f14b9b2392849ba8e8a5510ae2ba3d15a5647ce7835323d49d93bb211c323a04fa14b

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          7aaabbabed1e03e27f0fc866977c8233

          SHA1

          3674b1b903897a04ab60f4d2fab67dc68c8ef1c6

          SHA256

          afbd524eb67d6bd11320545d9992cde053a81467c26500607c9dfedfc54eb8c4

          SHA512

          dd3f6e176b3b2521b82cdea1516b1a442967424a961511cf3d5dd8406c3a37b84642364558eee1c90d560c62dd88f14d5504077a081d8fb09a9a2d23d20088d0

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          cc19bcff372d20459d3651ba8aef50e7

          SHA1

          3c6f1d4cdd647864fb97a16b1aefba67fcee11f7

          SHA256

          366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9

          SHA512

          a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          624e41a75a6dfd62039973dbbfdbe622

          SHA1

          f791e4cc85d6ae7039acef57a9025b173d7e963b

          SHA256

          ced1b5ac330145fa608627ad4de1dfb3533375f19b6da3d02ad202d0b7732bc1

          SHA512

          a13a128a5ea8aad3bcd5f3dbffa5fbfe7763370d8e43b546a1df1da3b0ec0d520cf5fcc8c25c22fd1e73ea1d00da1bee99305e028e71e193339e4fa8ce8f0b2d

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          ab1f525c4e4c942fb3654fad5e54a979

          SHA1

          7df9344eb1de6973d599369eb3c2c8edc88cb06a

          SHA256

          8b370b74d81b39c9d887a8980f1c8c69bacbfaac0b07e963d93bedd02808773f

          SHA512

          fdb479eea402ae846e2f96bef0252ba2edfbb4f0cbde9ec1cad653cdc2fc8dff8f52cd9501a2c5629b762085f0a6d17163a8cdbe41412aeb1a1ab57b1c7cd213

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          3b444d3f0ddea49d84cc7b3972abe0e6

          SHA1

          0a896b3808e68d5d72c2655621f43b0b2c65ae02

          SHA256

          ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

          SHA512

          eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          bf3651a8682259b5e292b98289271f76

          SHA1

          4694a32734c377985dafbd15e26b9a129f1e4a45

          SHA256

          5ffc07abea05b9bb523e511ed75995488a22e3dd54fddc50b62b8336bd57c575

          SHA512

          d9cd369fc710131f0f24c3add83a923625831b1bfb4fba0da83dd71fa41a4ed5a0f0e00755f3cf8ae2aef4aa498c353348c51c167f7d6a2af834f07c78b33896

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          e3b6cc0fbea08a0831f0026a696db8b8

          SHA1

          4e32202d4700061cfd80d55e42798131c9f530d4

          SHA256

          3284cae7b82be99d93064390ba071ba4321f3f24dd21515b37b2ca9f31b2e8d5

          SHA512

          6a06856f360b48c8bc8a15ffb8d7a6604ec357bcb1d0fad5d71a2cb876929a7b67eb40ba4493998ab1bbae8cb71212e124276f27d5c138a135041c27a41a0b7a

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          ba169f4dcbbf147fe78ef0061a95e83b

          SHA1

          92a571a6eef49fff666e0f62a3545bcd1cdcda67

          SHA256

          5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

          SHA512

          8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          e60eb305a7b2d9907488068b7065abd3

          SHA1

          1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

          SHA256

          ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

          SHA512

          95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          a7cc007980e419d553568a106210549a

          SHA1

          c03099706b75071f36c3962fcc60a22f197711e0

          SHA256

          a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

          SHA512

          b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          6d42b6da621e8df5674e26b799c8e2aa

          SHA1

          ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

          SHA256

          5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

          SHA512

          53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          98baf5117c4fcec1692067d200c58ab3

          SHA1

          5b33a57b72141e7508b615e17fb621612cb8e390

          SHA256

          30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

          SHA512

          344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          da5c82b0e070047f7377042d08093ff4

          SHA1

          89d05987cd60828cca516c5c40c18935c35e8bd3

          SHA256

          77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

          SHA512

          7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          60945d1a2e48da37d4ce8d9c56b6845a

          SHA1

          83e80a6acbeb44b68b0da00b139471f428a9d6c1

          SHA256

          314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

          SHA512

          5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          216afb514a6c63664bbdea07188afa7e

          SHA1

          9a8869e7de8804d19d4bc7297feeb09cc053ea16

          SHA256

          f42b1e7015670d29459c050ad92b610f58341fbb2ed5ab1c51b7c7eb34a346f7

          SHA512

          7828987caafc39b6318ce9941eaabf97ca1f4bbc13c256a96e5554b512dfc69d683152ff7122324a77ea889e3f4fb1612a5a6eece7e8fe58ea6b5f59222ba4ac

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          5f0bb6ce79375dbb934fd6e34de3dcef

          SHA1

          fdb5630ba52114707a70b46aaa1f6b47cbe25b52

          SHA256

          e9440a763447f5c528306ee8295d4efc97116095081bc30318ecda1a17645c01

          SHA512

          61f336a63d129b285901a5331c30e504abde224bf1ac46147aedebd80e919fac65049015c681aec5a1301a8533229b19f57e2d18e03d84f217187bb904ec273c

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          8ab6456a8ec71255cb9ead0bb5d27767

          SHA1

          bc9ff860086488478e7716f7ac4421e8f69795fb

          SHA256

          bcb14f15fbe23bf51a657c69b24f09cd51e33a2530f89ad17c44f660769611e2

          SHA512

          87c5368dbd7c85f341edf8992d8b1c87984f9a3549a4802c6054da4e12a8674f10f56d03afc1a72b2cfc40895150d3b0f4d9d4c355c79cdf364ace35eb8ebf15

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          b4b6d4cc52b5a3a71149b1f33d94d5de

          SHA1

          97d3dbdd24919eab70e3b14c68797cefc07e90dd

          SHA256

          da8c02ce00d5b1e6d4c3667465c7bbc14d7cd5227eb634f3d9690afd488267fe

          SHA512

          fc894f03709b83df7d2fca2779e1e60549078b67bcdbff0b61c8e5a802982210ae971309c1f92577573299288963ab5c95c6b38cbaedf53dc6062812c57a97af

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          05b1e52b445582c060c505f3d89bc540

          SHA1

          acb74be5e672dc409bd265a30e7ae2df96bfa975

          SHA256

          50184106d36bc22f8856534b64698338a0d7a4813d1b5802f0ae09ec9d995c7a

          SHA512

          1040f2ebea0cfc242d64a3ef36a8aa212bd7b2d45ecf518599f89cb2799568ba8d2361f900b61d753606bf5035d7340b47de13cf1de21ad29cceb76e0f194bf6

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          22310ad6749d8cc38284aa616efcd100

          SHA1

          440ef4a0a53bfa7c83fe84326a1dff4326dcb515

          SHA256

          55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

          SHA512

          2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          eb1ad317bd25b55b2bbdce8a28a74a94

          SHA1

          98a3978be4d10d62e7411946474579ee5bdc5ea6

          SHA256

          9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

          SHA512

          d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          7301301f604e0d1d19a58d04a1907057

          SHA1

          90e3bd66082d23f045a91b4fbfb925f35abde021

          SHA256

          7e10373a04dada714097aa4600890fb899a00d1eb3c8eb0280a8fc0c602f578e

          SHA512

          3da233ebdad051ee8c87ee160c1616a468c02f31551edb427e2f0b29b5d6a50a6c0d65cfa694eb955e8bdff25f6fd48efc763455eb76ac6b80b66210905b6757

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          0256bd284691ed0fc502ef3c8a7e58dc

          SHA1

          dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

          SHA256

          e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

          SHA512

          c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          4165c906a376e655973cef247b5128f1

          SHA1

          c6299b6ab8b2db841900de376e9c4d676d61131e

          SHA256

          fb0b3c822d300abbb892e6f218d6b4b62b80bb26d9184d1f4c731600053a3fc4

          SHA512

          15783f2d3687388339c06423bd18c17a5704cd367bf1a1d08e436088984c0b5c52dc88d3b8455495a8051ba9f977aae34b69453e5ee252d928e74dcdebd4a11a

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dw3rbl0c.nu0.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\wininit.exe

          Filesize

          259KB

          MD5

          40423a099938afe0b1f39a1317049914

          SHA1

          f54513aa10b40f8f4eb2f1df73680bd34750c9b3

          SHA256

          fdabe139cac0f7474c8d1ab0b0436e56c17a765a8b80ba4651d23d3e5188868e

          SHA512

          84745d42d2c309f4c2b992a77ea65ab3fb8fa89aaa749c7404db1d6fc1d5439a91068397753be26e887b1a73ec852a57499e9f2896bcf6c67d67d337d0a7ff77

        • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

          Filesize

          355B

          MD5

          04615231d7987d325fe89ba50c4e97f9

          SHA1

          8d9b442eb8c682d34b70a1da92ff87b861a90521

          SHA256

          802493792ceaa5f72aafd2dd9812ea4c2c7386be216f490294d318b9bcaa34ba

          SHA512

          6ab0471b9f4881e3213673804455dd24d90d14a8e4bd09ebb9068aa230e494c74a2fcb0588fc9cdeddc2b3bd7219d459b5df36cf74626ab90d3a9e2730dbbeeb

        • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

          Filesize

          2B

          MD5

          f3b25701fe362ec84616a93a45ce9998

          SHA1

          d62636d8caec13f04e28442a0a6fa1afeb024bbb

          SHA256

          b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

          SHA512

          98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

        • memory/1256-21-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp

          Filesize

          10.8MB

        • memory/1256-2-0x00000000010B0000-0x00000000010D0000-memory.dmp

          Filesize

          128KB

        • memory/1256-3-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp

          Filesize

          10.8MB

        • memory/1256-1-0x00000000008B0000-0x00000000008FE000-memory.dmp

          Filesize

          312KB

        • memory/1256-0-0x00007FFEE9E93000-0x00007FFEE9E95000-memory.dmp

          Filesize

          8KB

        • memory/3120-255-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

          Filesize

          64KB

        • memory/3120-257-0x00007FFEC5710000-0x00007FFEC5720000-memory.dmp

          Filesize

          64KB

        • memory/3120-256-0x00007FFEC5710000-0x00007FFEC5720000-memory.dmp

          Filesize

          64KB

        • memory/3120-353-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

          Filesize

          64KB

        • memory/3120-352-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

          Filesize

          64KB

        • memory/3120-350-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

          Filesize

          64KB

        • memory/3120-351-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

          Filesize

          64KB

        • memory/3120-254-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

          Filesize

          64KB

        • memory/3120-252-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

          Filesize

          64KB

        • memory/3120-253-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

          Filesize

          64KB

        • memory/3120-251-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp

          Filesize

          64KB

        • memory/3456-4-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp

          Filesize

          10.8MB

        • memory/3456-11-0x0000015FE01D0000-0x0000015FE01F2000-memory.dmp

          Filesize

          136KB

        • memory/3456-17-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp

          Filesize

          10.8MB