Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    27/01/2025, 14:57

General

  • Target

    wininit.exe

  • Size

    259KB

  • MD5

    40423a099938afe0b1f39a1317049914

  • SHA1

    f54513aa10b40f8f4eb2f1df73680bd34750c9b3

  • SHA256

    fdabe139cac0f7474c8d1ab0b0436e56c17a765a8b80ba4651d23d3e5188868e

  • SHA512

    84745d42d2c309f4c2b992a77ea65ab3fb8fa89aaa749c7404db1d6fc1d5439a91068397753be26e887b1a73ec852a57499e9f2896bcf6c67d67d337d0a7ff77

  • SSDEEP

    6144:O3J/lKaBuZxpbGn1PPT4WZuOusQY1H9X7iGZeSE:gKaIrRfOuRYtlyS

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 46 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 46 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 45 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wininit.exe
    "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4528
    • C:\Users\Admin\AppData\Local\Temp\wininit.exe
      "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3144
      • C:\Users\Admin\AppData\Local\Temp\wininit.exe
        "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3652
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4516
        • C:\Users\Admin\AppData\Local\Temp\wininit.exe
          "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3288
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2328
          • C:\Users\Admin\AppData\Local\Temp\wininit.exe
            "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1664
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4616
            • C:\Users\Admin\AppData\Local\Temp\wininit.exe
              "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2732
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:3828
              • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1300
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                  8⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1176
                • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                  "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:4900
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3572
                  • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                    "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:5104
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                      10⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2840
                    • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                      "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:4444
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                        11⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        PID:3288
                      • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                        "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:224
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                          12⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4948
                        • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                          "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                          12⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of WriteProcessMemory
                          PID:3156
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                            13⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4316
                          • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                            "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                            13⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of WriteProcessMemory
                            PID:3144
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                              14⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1568
                            • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                              "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                              14⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of WriteProcessMemory
                              PID:2792
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                15⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4056
                              • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                15⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of WriteProcessMemory
                                PID:3692
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                  16⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:572
                                • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                  "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                  16⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Suspicious use of WriteProcessMemory
                                  PID:2736
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                    17⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    PID:2508
                                  • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                    "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                    17⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    PID:228
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                      18⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      PID:4916
                                    • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                      "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                      18⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      PID:3012
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                        19⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        PID:2088
                                      • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                        "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                        19⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        PID:4148
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                          20⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          PID:1300
                                        • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                          "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                          20⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          PID:3988
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                            21⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            PID:3028
                                          • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                            "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                            21⤵
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            PID:5016
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                              22⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              PID:4212
                                            • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                              "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                              22⤵
                                              • Checks computer location settings
                                              • Executes dropped EXE
                                              PID:4076
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                23⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                PID:3140
                                              • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                23⤵
                                                • Checks computer location settings
                                                • Executes dropped EXE
                                                PID:1728
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                  24⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  PID:4556
                                                • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                  24⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  PID:3308
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                    25⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    PID:4648
                                                  • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                    25⤵
                                                    • Checks computer location settings
                                                    • Executes dropped EXE
                                                    PID:4536
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                      26⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      PID:1020
                                                    • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                      26⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      PID:1472
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                        27⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        PID:1744
                                                      • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                        27⤵
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        PID:4692
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                          28⤵
                                                          • Command and Scripting Interpreter: PowerShell
                                                          PID:4476
                                                        • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                          28⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          PID:960
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                            29⤵
                                                            • Command and Scripting Interpreter: PowerShell
                                                            PID:2800
                                                          • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                            29⤵
                                                            • Checks computer location settings
                                                            • Executes dropped EXE
                                                            PID:3720
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                              30⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              PID:4076
                                                            • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                              30⤵
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              PID:352
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                31⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                PID:2140
                                                              • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                31⤵
                                                                • Checks computer location settings
                                                                • Executes dropped EXE
                                                                PID:2604
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                  32⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  PID:1112
                                                                • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                  32⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  PID:1840
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                    33⤵
                                                                    • Command and Scripting Interpreter: PowerShell
                                                                    PID:4068
                                                                  • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                    33⤵
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    PID:1020
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                      34⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      PID:2816
                                                                    • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                      34⤵
                                                                      • Checks computer location settings
                                                                      • Executes dropped EXE
                                                                      PID:3148
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                        35⤵
                                                                        • Command and Scripting Interpreter: PowerShell
                                                                        PID:2164
                                                                      • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                        35⤵
                                                                        • Checks computer location settings
                                                                        • Executes dropped EXE
                                                                        PID:3708
                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                          36⤵
                                                                          • Command and Scripting Interpreter: PowerShell
                                                                          PID:820
                                                                        • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                          36⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          PID:4904
                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                            37⤵
                                                                            • Command and Scripting Interpreter: PowerShell
                                                                            PID:4344
                                                                          • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                            37⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            PID:1556
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                              38⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:2532
                                                                            • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                              38⤵
                                                                              • Checks computer location settings
                                                                              • Executes dropped EXE
                                                                              PID:1728
                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                                39⤵
                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                PID:468
                                                                              • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                                39⤵
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                PID:956
                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                                  40⤵
                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                  PID:1704
                                                                                • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                                  40⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  PID:4644
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                                    41⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    PID:3828
                                                                                  • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                                    41⤵
                                                                                    • Checks computer location settings
                                                                                    • Executes dropped EXE
                                                                                    PID:2304
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                                      42⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      PID:888
                                                                                    • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                                      42⤵
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      PID:4392
                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                                        43⤵
                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                        PID:4880
                                                                                      • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                                        43⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        PID:4380
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                                          44⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          PID:4920
                                                                                        • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                                          44⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          PID:3804
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                                            45⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            PID:4128
                                                                                          • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                                            45⤵
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            PID:392
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                                              46⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              PID:1592
                                                                                            • C:\Users\Admin\AppData\Local\Temp\wininit.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
                                                                                              46⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              PID:2144
                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
                                                                                                47⤵
                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                PID:2476

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          3KB

          MD5

          3eb3833f769dd890afc295b977eab4b4

          SHA1

          e857649b037939602c72ad003e5d3698695f436f

          SHA256

          c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

          SHA512

          c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

          Filesize

          654B

          MD5

          11c6e74f0561678d2cf7fc075a6cc00c

          SHA1

          535ee79ba978554abcb98c566235805e7ea18490

          SHA256

          d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

          SHA512

          32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          c0a5b34cdf29c042e6b0c7d65de3cd06

          SHA1

          41b952102b4d5016ac1cd756150994c9a795f29c

          SHA256

          7df59ac6513468fcf70a53bbc3879337add75de09a170937211fa194590d7014

          SHA512

          de56b2a8fc2293d99bc9d24a34ee40b6f44d8ad86d60dd8cdb757a40f155400e139a80b81d0379bf45e754dc2f29b4b7fc49a510806a592235a6a0b64cd8d3f5

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          648812e0a09d54e539e0de3d47839ab1

          SHA1

          5d3da316723063206acbbcb0a692f641e2df4e53

          SHA256

          487b4b8ebe1cf2b23a12a2d5b9d597af294f0807b7ba8eaeea0f8e33d25c4414

          SHA512

          6a06c9faa23cb04a05fec92d2c9a4323d63afab02d51cb826093b631e55cb8bd331963c373eaf972b6cfdabffc25eddc97be5398469430b18c49cdbae0cf194e

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          db7d060719f9d7de5f776f57b90813ee

          SHA1

          c01908627494af508b42df47723dd3761819eb6a

          SHA256

          ac5a19ff1c63a954ffb01b424dc0acd201466df4a23da33602518cfe11d63860

          SHA512

          3dde090300589475d84d332eab3e5345a4b4c88da6762ccb022cb2f47e9627b5deee2e6a0b8249d336046288497bdc8ccf772cce22a734dfe213fec03880b98c

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          c44c13ac6a42236ec689a219adab8d1a

          SHA1

          1bd2631b8fb9ce465aa6eb15978823ee1cd970f6

          SHA256

          fb90c6fec3d817f12b716051ac54bfac9bcd9df766ec8a1e717d533e01550487

          SHA512

          949df079edbd9e9e73a2be84ded84eee992f04ae6a62eb8cc257b23cf5d9772b9ab016148eb3c27440aa2a636acaf21f6c1593a03b42b8eb0c3143fdd24c2f45

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          75ae08a4a068b23ce626d07e9f3788aa

          SHA1

          a32274e443918e1a3c70cc2d60fab562be0a8fe8

          SHA256

          d43e73ad55648e865173cf4552cf1f812d299c5d58f8cdc83a2f10365633840d

          SHA512

          0597f93a8ed7e7fbabdb0d088723a0b8d4e6277c65e3d732bd593930dfb8d454cbba7a483f1173fe63ec3f548ece1825e312876a5ec4569d54b0bef12f2196d6

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          1771f6251d2757dc5e8ed002029e35e5

          SHA1

          871c6950788ff5779ed84e89593683e1a4f5629f

          SHA256

          d34917f13ae4b2e8eefda80e46b0e97e0acc1dab6e3e3c1b93b869cb53a77be4

          SHA512

          3512b17367ceaa609b57718aea88515eb53d5a8cfb37879bccfc40794df3f9e2fe9e3e454fc8a756e2d7154ff901f35c5141b6ff5ca5ba0a1743a260cd13a3a1

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          155d3b9f05828b294af8ae906ee2180f

          SHA1

          453e8f2b366a57e060a6ddb1f2a07d39d18e8139

          SHA256

          e3b8d71be31550e2568669257922af8666002d64ba9bc7e2f12d4d6bcd1c1d51

          SHA512

          177053a12a46e3c6ede47d577fbda6a54dfa581b65e99f67280f05c222627ee83024703784da18bfecb43438700cee3281ea6c9d136bd34a0c9940373709f5ff

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          3166af632810a02e6d427c3554f251f5

          SHA1

          e6f99f9ac43ef3c2d86144b09b43315ac78b1188

          SHA256

          3db0b1610a167e570ca00c0714b36e0e872851ffc09765797674e06302290355

          SHA512

          30f4fe4866053aaeb511f58abcfda32b06bac234e2592e8e8ecb4117edc3aa1b756fc8bf33bf338ec550575eef048f84cdd0dad96861ad0ab0fc05f4dd80bc56

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          7042051318ea057f67f377da796744bc

          SHA1

          d474fe023ab765861b4ccaf7e8c1aca65d101360

          SHA256

          3e3b6c418aa35efdcae9bf4349543b26cefa3ba00d1acc163296007dc99c5a10

          SHA512

          bb2cc212affe3424489126574fd25d65b18eece069ae75cc547776d0c81e46741fcab016be6f4ae5ac7a3d7e34ce9dd4f9dbecabb2790412dfba42065df93905

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          d12bf0977e627c7b7f0a3b7592d68397

          SHA1

          b6bb910a4a2c554d9df0de4d691ec4e5e54c36bb

          SHA256

          8256f2f7bfc45a2c3829e2d80e064f23953dcca670fe5a86ec09c822c895dabe

          SHA512

          01367196d606710f73ea36216d57262b4efa612fde0c55e280607076e762f85963f3584b241bc4e67cba7fd53f6a59571378ebd116e5f1a8c824082976c86c7b

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          11d2c775b6d50ed94b01f5d20be33ff0

          SHA1

          b3100ef2d19d1d631d3a7316e723237f1cc38d84

          SHA256

          32a71041ac4e85cb23b098ea34f38aa110a60f9e3af9d0a94e28e54c99d3a90b

          SHA512

          c23c01c60ff6a781bb8671f4868770246a0785102173249c850c2ce1d5daea768fd62af88af7a8849656d8f6a8299a6ed5df664cd948c0e92c8051bfa461a138

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          08b59cf8e2e3a929ea95184bf5aa591a

          SHA1

          4f515ff72e582be6122d1642996c1e575c515e2b

          SHA256

          dc31980e5e8823ff48fd4c1e8fec022358d874c21d3ba766c64fae24ad3aeeeb

          SHA512

          c1af66be8dfaaf2ab50487e77438f9d78bca794fd3e2378cd4f4fb67b4038a02f606b9e8258c29cf0988400b72b903bf3d403b0b6c47c2bc87f4702d644eab71

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          b2baf0ab0d2d6efba1e300590c4b7cd3

          SHA1

          7e8197c8374831f27e79631f0450f00d27256410

          SHA256

          d429c9f0dacf515041d679d92c946b2964523ca983f155d595a302b096fabbff

          SHA512

          f672fd2457740ab6cf23ced8430d3ed78dc6aeb1ec92a34dbd2c8f1bc82b2a35d0dd18712a8a17e68992218eb77af9faddd8032b94566bafc0db0972c442b155

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          0351b6d5385995efd8f0f96e10779d90

          SHA1

          1503b8b19f80adf6ff439b97825adc798b5025d5

          SHA256

          cfa345952ebffdddb214c2f7da3b33515841602a93173f9635c9513a6cad685d

          SHA512

          80be5424fc5e3eec6ff41475b05d03b75c80de5f6477c9084f9da374b7197056a84432c17e8cb77e9d3c08fbd01f9fca9c6b4859e2f984d4de70ce704b855cae

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          9a194f191956e9bf257c5b594e7a994a

          SHA1

          46dd61af2c025a8b3c74017d56d309154e6a1efc

          SHA256

          fe8468f17b76f055c7f4fddf99d2ef65306cc96758f74aee40b7d483472fdf59

          SHA512

          2134edf7e90fe0a3cb57ac79276ee1055f4050027f87481864cedeadeccee10b743f15bb4afed867bc9d23144b1c2e80ac8ca22effcc4bfc9d3aa8dfe4891d3b

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          bcf3a97d5c08d9a1e73abd942c8f0f29

          SHA1

          adc0022f83a5e99e5299548ac28fb094ba69fed3

          SHA256

          781fa6aa6402275ae385a156ad65c1889381c14dfc71eff0b563c3524dea119d

          SHA512

          a2dd595ca3fba27d01c135d3c6ab035391dc7d802c2018f7466d1ff7b78b4f407a6d60a403d98ee0342fbd5074f47e73f9941bb956b93ac573cb980b8cf0fe4b

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          da3bd2dcb9080852c2dac79da67892de

          SHA1

          a19d48083e260e06b88f97ddb72f33a914e29304

          SHA256

          8a4ebcd2e1d20b7fbffa9ac4f2c7561dd692c277b0f3ce438952777b3f69cab4

          SHA512

          8a670abecb5609aca7dd66423740e4c5798f12f59a9258b1bc0f64cbc25a4f9cd4f8143bca2291023ca011dab9f7f771d0960787e8abe42ef8e742c6d0098d57

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          60b3262c3163ee3d466199160b9ed07d

          SHA1

          994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

          SHA256

          e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

          SHA512

          081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          981674e0dba72b7979ab34685f90601d

          SHA1

          0c26c40f5049e8f157ee79d00795f7dcfc339cf7

          SHA256

          b851f5a0ad0f4d785bae0507529b59d2ef322c9abe3af6b7c22066a256f13627

          SHA512

          4e14ca11c16f0a07f376b5a6debb9b018d1ebf7068cbb1b69f69aaf8b0e83c28aa428b4f796aa9844c1dde690536e9f95bdb11b63fa06f058cc3cc7218c743d9

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          3726ddfd0b78d84ff1238805dd057c46

          SHA1

          d659e588d74ebceae1d1314094bf4a2b5e503ca4

          SHA256

          bebe6c87c970f73beb977e6d93a2249b15e08a1ca01ae0f35a666a9030512cb5

          SHA512

          3ad071f31234f93549f79c6a7687cf560cfa0f51351fd8a17c0ec9eca14f4ee420c0afd4b2213bdeb4c20d620b7e7dd71ff59580150c35c002e638717bee12ed

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          5a5599171bd8146c5c047514d62f9591

          SHA1

          edbc64f8a189733dcc337f00888783d633e89cfa

          SHA256

          29aa2d778ebb775c577a763da4c970a0baa4f58d4683a4d02e1efd1360ade32f

          SHA512

          42b60a33720bfc35c55b5bcf38ac787eaba2efd8987ecc69863dc7304aef84b601d0509f42e7b20947b6b14497de9b506e15d48ff427e1fbea00776db54118df

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          78c5ac9ea38da78fe922d8e63fae9642

          SHA1

          ef39e7c9c49f25b260154948ad98961d660b477a

          SHA256

          483ca85be941c917e284bc3b14f770a00580978e1e2edd326aaf0facc3d5fb68

          SHA512

          f6c75b9f6f7d715e2c70cc63073f74cb771c942582a2cd70bd50f764c173a41a9d32d1dce412f0aa008bd54cbfeb0c642744848e926979a35f196e90757ec68a

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          273760112f1f2e60426631713dc50319

          SHA1

          3c1e9b5b5a7934720ae53ef6e844387860dd1e51

          SHA256

          057dc9b8f7c35b6fb55f8a2618fb75057ada88a95629c4414ed67e9fc2542247

          SHA512

          17d5f6244bf7e892b9b22c3ed72d44cc794e630e075038ea51c3e680298fb7110937416c741bd114431386eafa4fa41d8cec6b66515ca43b9ddf4d57cf0c5317

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          fffbe9f75db9bf26859b39ecd64372eb

          SHA1

          836a1d21d489ade22ceaf4a82a14cc3ae6f5dd8c

          SHA256

          c222ea2d80f67c34ffa17251230eaf77ae6f66668e88fbe33f90b24e826ba465

          SHA512

          1ce78abc48dcf15ee2dfccacd4d49b47ce65eb77e6ab58469a52ad02de9a8b55f545e01e7953d0f1f873b573144d32110c16de056366889bb23780fa35d4c0de

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          3cefd14c68b85c99cb30a11b9ad13241

          SHA1

          173a2e157de2b9a6bc0f7d7cc86aeac4490ca4c2

          SHA256

          8882af4b9244bf3122660023f7376385ab2d558de1c0c06904f2b4462d4b806b

          SHA512

          2a2a724b2eba645e68f5eab1d91b80b8a5a3830e719f17a7a1444fe64439fe01a31ac7dcb16ac10cd4f8b0d0849ece6c450d4de76c892a744a408dd649555163

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          014f71a6acded9d2985322a79aa49202

          SHA1

          622c887c223d4807b6fff00bcec733f29d3070c4

          SHA256

          2706f51a2e6b15845205415791c33cc03c21aaa7421c46f5651df06d81f76d19

          SHA512

          199dadd2b954b9f27e7290bf1f383c476ad2d93883243aa86d23408d016006ac4d39993bd3aa4b6d93a828aecafd66dd8ef431dca5d3c98b5fd86b4c96cb3a56

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          32be9b13143c056a85df7bf948ae4778

          SHA1

          36baf529bc3a034344d8d2fe2d82c814c53e8b6c

          SHA256

          f896b3276cb29751b872e4e37e970a87be7be09b0986331b36a0d8a431a144a5

          SHA512

          6cdf4448008f8a2903857e173e87af20ca0e5169c7da477c3eb4d2549b82d588550951b2edc7478d4efacbea7414f89d67b0fa841c26c81df7286f0d4c5798a1

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          b30de5b2849cb8d47cff3cfb14c07042

          SHA1

          f7a0926c5b66764781f6f1c67d0998a5cf6f8c1b

          SHA256

          0f689471b13781d813f2a574b2f74c5b64d76671fcd5eeb6b0fe3c62ab5d5bfb

          SHA512

          bbed0b097ae4e55e6778bf789cff72bab33a3a0f14a42f1f06755a493bb64463a9ede2630498ba1db96fb6a82db4c75259ebe74caea00ced1f13cacd6c91fdfe

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          90a19c0a9453ec7d2ac5b96e9722e33d

          SHA1

          d69e69579a03de487f1e5195036d800a9f67c56a

          SHA256

          3d0c40485131be80596e77d24983d05891ff2215aa68d66209b9c71cee01ea09

          SHA512

          f6fa2573e6b3863f4bf21ad43498aacc453e6644e2b7564354d6e88022384fc12226154b15a52610b97c0a824dc2ebd8f61bb441a60a971b1b73694f94a8245b

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          438f7ee10c8a4d22dc7c15abb572fc65

          SHA1

          75fb1bcac3f8311987a62f14312e2dccf25cc339

          SHA256

          8d572eefdc4eb4dfa7e71c40d0f6d8d0739ca917c7779ad20359b36f9ff43234

          SHA512

          4c0cf5f90bbc6b409fda1bd24fbdd44328add0f959b647dd443c0f0d25b4688fe6afa2051dc58ac4017da21d6ed27ec0db892b9ff4e7852d78af1b94cb221035

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m1d05gsp.0ia.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\wininit.exe

          Filesize

          259KB

          MD5

          40423a099938afe0b1f39a1317049914

          SHA1

          f54513aa10b40f8f4eb2f1df73680bd34750c9b3

          SHA256

          fdabe139cac0f7474c8d1ab0b0436e56c17a765a8b80ba4651d23d3e5188868e

          SHA512

          84745d42d2c309f4c2b992a77ea65ab3fb8fa89aaa749c7404db1d6fc1d5439a91068397753be26e887b1a73ec852a57499e9f2896bcf6c67d67d337d0a7ff77

        • memory/3548-1-0x0000000000B30000-0x0000000000B7E000-memory.dmp

          Filesize

          312KB

        • memory/3548-21-0x00007FFBB3260000-0x00007FFBB3D22000-memory.dmp

          Filesize

          10.8MB

        • memory/3548-0-0x00007FFBB3263000-0x00007FFBB3265000-memory.dmp

          Filesize

          8KB

        • memory/3548-2-0x0000000002BD0000-0x0000000002BF0000-memory.dmp

          Filesize

          128KB

        • memory/3548-3-0x00007FFBB3260000-0x00007FFBB3D22000-memory.dmp

          Filesize

          10.8MB

        • memory/4212-263-0x0000020B7E9D0000-0x0000020B7EBED000-memory.dmp

          Filesize

          2.1MB

        • memory/4528-4-0x00007FFBB3260000-0x00007FFBB3D22000-memory.dmp

          Filesize

          10.8MB

        • memory/4528-10-0x0000026E4CB30000-0x0000026E4CB52000-memory.dmp

          Filesize

          136KB

        • memory/4528-17-0x00007FFBB3260000-0x00007FFBB3D22000-memory.dmp

          Filesize

          10.8MB

        • memory/4616-70-0x000002CB2C220000-0x000002CB2C43D000-memory.dmp

          Filesize

          2.1MB