Analysis Overview
SHA256
fdabe139cac0f7474c8d1ab0b0436e56c17a765a8b80ba4651d23d3e5188868e
Threat Level: Likely malicious
The file wininit.exe was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-27 14:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-27 14:57
Reported
2025-01-27 14:59
Platform
win10v2004-20241007-en
Max time kernel
97s
Max time network
96s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
Executes dropped EXE
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\MountAssert.docx" /o ""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| IE | 52.109.76.243:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/1256-0-0x00007FFEE9E93000-0x00007FFEE9E95000-memory.dmp
memory/1256-1-0x00000000008B0000-0x00000000008FE000-memory.dmp
memory/1256-2-0x00000000010B0000-0x00000000010D0000-memory.dmp
memory/1256-3-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp
memory/3456-4-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp
memory/3456-11-0x0000015FE01D0000-0x0000015FE01F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dw3rbl0c.nu0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3456-17-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wininit.exe
| MD5 | 40423a099938afe0b1f39a1317049914 |
| SHA1 | f54513aa10b40f8f4eb2f1df73680bd34750c9b3 |
| SHA256 | fdabe139cac0f7474c8d1ab0b0436e56c17a765a8b80ba4651d23d3e5188868e |
| SHA512 | 84745d42d2c309f4c2b992a77ea65ab3fb8fa89aaa749c7404db1d6fc1d5439a91068397753be26e887b1a73ec852a57499e9f2896bcf6c67d67d337d0a7ff77 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/1256-21-0x00007FFEE9E90000-0x00007FFEEA951000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d42b6da621e8df5674e26b799c8e2aa |
| SHA1 | ab3ce1327ea1eeedb987ec823d5e0cb146bafa48 |
| SHA256 | 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c |
| SHA512 | 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 05b1e52b445582c060c505f3d89bc540 |
| SHA1 | acb74be5e672dc409bd265a30e7ae2df96bfa975 |
| SHA256 | 50184106d36bc22f8856534b64698338a0d7a4813d1b5802f0ae09ec9d995c7a |
| SHA512 | 1040f2ebea0cfc242d64a3ef36a8aa212bd7b2d45ecf518599f89cb2799568ba8d2361f900b61d753606bf5035d7340b47de13cf1de21ad29cceb76e0f194bf6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb1ad317bd25b55b2bbdce8a28a74a94 |
| SHA1 | 98a3978be4d10d62e7411946474579ee5bdc5ea6 |
| SHA256 | 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98 |
| SHA512 | d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7301301f604e0d1d19a58d04a1907057 |
| SHA1 | 90e3bd66082d23f045a91b4fbfb925f35abde021 |
| SHA256 | 7e10373a04dada714097aa4600890fb899a00d1eb3c8eb0280a8fc0c602f578e |
| SHA512 | 3da233ebdad051ee8c87ee160c1616a468c02f31551edb427e2f0b29b5d6a50a6c0d65cfa694eb955e8bdff25f6fd48efc763455eb76ac6b80b66210905b6757 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0256bd284691ed0fc502ef3c8a7e58dc |
| SHA1 | dcdf69dc8ca8bf068f65d20ef1563bbe283e2413 |
| SHA256 | e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf |
| SHA512 | c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4165c906a376e655973cef247b5128f1 |
| SHA1 | c6299b6ab8b2db841900de376e9c4d676d61131e |
| SHA256 | fb0b3c822d300abbb892e6f218d6b4b62b80bb26d9184d1f4c731600053a3fc4 |
| SHA512 | 15783f2d3687388339c06423bd18c17a5704cd367bf1a1d08e436088984c0b5c52dc88d3b8455495a8051ba9f977aae34b69453e5ee252d928e74dcdebd4a11a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ce4540390cc4841c8973eb5a3e9f4f7d |
| SHA1 | 2293f30a6f4c9538bc5b06606c10a50ab4ecef8e |
| SHA256 | e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105 |
| SHA512 | 2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 51cf8df21f531e31f7740b4ec487a48a |
| SHA1 | 40c6a73b22d71625a62df109aefc92a5f9b9d13e |
| SHA256 | 263d9b98a897d1d66da4832af640c4bf5ab0ae91125ba12243453dfe714f3d0d |
| SHA512 | 57a85461f6ea96b26a8b53d3a9cca18543e4ddbe996e8f412fc4cf7cf6e9ffe558c96da7b322a42f18bef62020e65aee119bed6102f75e2f605df09b02ec6368 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | be67063c62a242565760a02a642a9f02 |
| SHA1 | d1043a892b44d6676f71b568f578fff947266a19 |
| SHA256 | 56f158298dc5f781d6636a0b15d040f9cffb1d46cd11079aa40a26b662217f48 |
| SHA512 | 90d2cbd882ff8043412ad25e74df0cf6b71d6f3fbdfa6f1efa0efc8eed86a925606c7d2e967f112a34d3f0e04f01a396898508571400dcf7e6fd69e78f406638 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fd98baf5a9c30d41317663898985593b |
| SHA1 | ea300b99f723d2429d75a6c40e0838bf60f17aad |
| SHA256 | 9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96 |
| SHA512 | bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b7e0e67385d5dab240ab2f7c945f3443 |
| SHA1 | cb4b238a0757cc85115347f193946cdbfc089f4e |
| SHA256 | 8e1f6b184613f6618a22a3e3221276856dd07bc782423c1a208862c524bbb241 |
| SHA512 | ed243d9ef73e38a226cf2711a72cfb877cf90f0ee5e88a1db57747b76d9f14b9b2392849ba8e8a5510ae2ba3d15a5647ce7835323d49d93bb211c323a04fa14b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7aaabbabed1e03e27f0fc866977c8233 |
| SHA1 | 3674b1b903897a04ab60f4d2fab67dc68c8ef1c6 |
| SHA256 | afbd524eb67d6bd11320545d9992cde053a81467c26500607c9dfedfc54eb8c4 |
| SHA512 | dd3f6e176b3b2521b82cdea1516b1a442967424a961511cf3d5dd8406c3a37b84642364558eee1c90d560c62dd88f14d5504077a081d8fb09a9a2d23d20088d0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cc19bcff372d20459d3651ba8aef50e7 |
| SHA1 | 3c6f1d4cdd647864fb97a16b1aefba67fcee11f7 |
| SHA256 | 366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9 |
| SHA512 | a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 624e41a75a6dfd62039973dbbfdbe622 |
| SHA1 | f791e4cc85d6ae7039acef57a9025b173d7e963b |
| SHA256 | ced1b5ac330145fa608627ad4de1dfb3533375f19b6da3d02ad202d0b7732bc1 |
| SHA512 | a13a128a5ea8aad3bcd5f3dbffa5fbfe7763370d8e43b546a1df1da3b0ec0d520cf5fcc8c25c22fd1e73ea1d00da1bee99305e028e71e193339e4fa8ce8f0b2d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ab1f525c4e4c942fb3654fad5e54a979 |
| SHA1 | 7df9344eb1de6973d599369eb3c2c8edc88cb06a |
| SHA256 | 8b370b74d81b39c9d887a8980f1c8c69bacbfaac0b07e963d93bedd02808773f |
| SHA512 | fdb479eea402ae846e2f96bef0252ba2edfbb4f0cbde9ec1cad653cdc2fc8dff8f52cd9501a2c5629b762085f0a6d17163a8cdbe41412aeb1a1ab57b1c7cd213 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3b444d3f0ddea49d84cc7b3972abe0e6 |
| SHA1 | 0a896b3808e68d5d72c2655621f43b0b2c65ae02 |
| SHA256 | ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74 |
| SHA512 | eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bf3651a8682259b5e292b98289271f76 |
| SHA1 | 4694a32734c377985dafbd15e26b9a129f1e4a45 |
| SHA256 | 5ffc07abea05b9bb523e511ed75995488a22e3dd54fddc50b62b8336bd57c575 |
| SHA512 | d9cd369fc710131f0f24c3add83a923625831b1bfb4fba0da83dd71fa41a4ed5a0f0e00755f3cf8ae2aef4aa498c353348c51c167f7d6a2af834f07c78b33896 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e3b6cc0fbea08a0831f0026a696db8b8 |
| SHA1 | 4e32202d4700061cfd80d55e42798131c9f530d4 |
| SHA256 | 3284cae7b82be99d93064390ba071ba4321f3f24dd21515b37b2ca9f31b2e8d5 |
| SHA512 | 6a06856f360b48c8bc8a15ffb8d7a6604ec357bcb1d0fad5d71a2cb876929a7b67eb40ba4493998ab1bbae8cb71212e124276f27d5c138a135041c27a41a0b7a |
memory/3120-251-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp
memory/3120-253-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp
memory/3120-252-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp
memory/3120-254-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp
memory/3120-255-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp
memory/3120-256-0x00007FFEC5710000-0x00007FFEC5720000-memory.dmp
memory/3120-257-0x00007FFEC5710000-0x00007FFEC5720000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 04615231d7987d325fe89ba50c4e97f9 |
| SHA1 | 8d9b442eb8c682d34b70a1da92ff87b861a90521 |
| SHA256 | 802493792ceaa5f72aafd2dd9812ea4c2c7386be216f490294d318b9bcaa34ba |
| SHA512 | 6ab0471b9f4881e3213673804455dd24d90d14a8e4bd09ebb9068aa230e494c74a2fcb0588fc9cdeddc2b3bd7219d459b5df36cf74626ab90d3a9e2730dbbeeb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ba169f4dcbbf147fe78ef0061a95e83b |
| SHA1 | 92a571a6eef49fff666e0f62a3545bcd1cdcda67 |
| SHA256 | 5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1 |
| SHA512 | 8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e60eb305a7b2d9907488068b7065abd3 |
| SHA1 | 1643dd7f915ac50c75bc01c53d68c5dafb9ce28d |
| SHA256 | ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135 |
| SHA512 | 95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a7cc007980e419d553568a106210549a |
| SHA1 | c03099706b75071f36c3962fcc60a22f197711e0 |
| SHA256 | a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165 |
| SHA512 | b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 98baf5117c4fcec1692067d200c58ab3 |
| SHA1 | 5b33a57b72141e7508b615e17fb621612cb8e390 |
| SHA256 | 30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51 |
| SHA512 | 344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d |
memory/3120-353-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp
memory/3120-352-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp
memory/3120-350-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp
memory/3120-351-0x00007FFEC7F90000-0x00007FFEC7FA0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | da5c82b0e070047f7377042d08093ff4 |
| SHA1 | 89d05987cd60828cca516c5c40c18935c35e8bd3 |
| SHA256 | 77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5 |
| SHA512 | 7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 60945d1a2e48da37d4ce8d9c56b6845a |
| SHA1 | 83e80a6acbeb44b68b0da00b139471f428a9d6c1 |
| SHA256 | 314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3 |
| SHA512 | 5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 216afb514a6c63664bbdea07188afa7e |
| SHA1 | 9a8869e7de8804d19d4bc7297feeb09cc053ea16 |
| SHA256 | f42b1e7015670d29459c050ad92b610f58341fbb2ed5ab1c51b7c7eb34a346f7 |
| SHA512 | 7828987caafc39b6318ce9941eaabf97ca1f4bbc13c256a96e5554b512dfc69d683152ff7122324a77ea889e3f4fb1612a5a6eece7e8fe58ea6b5f59222ba4ac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f0bb6ce79375dbb934fd6e34de3dcef |
| SHA1 | fdb5630ba52114707a70b46aaa1f6b47cbe25b52 |
| SHA256 | e9440a763447f5c528306ee8295d4efc97116095081bc30318ecda1a17645c01 |
| SHA512 | 61f336a63d129b285901a5331c30e504abde224bf1ac46147aedebd80e919fac65049015c681aec5a1301a8533229b19f57e2d18e03d84f217187bb904ec273c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8ab6456a8ec71255cb9ead0bb5d27767 |
| SHA1 | bc9ff860086488478e7716f7ac4421e8f69795fb |
| SHA256 | bcb14f15fbe23bf51a657c69b24f09cd51e33a2530f89ad17c44f660769611e2 |
| SHA512 | 87c5368dbd7c85f341edf8992d8b1c87984f9a3549a4802c6054da4e12a8674f10f56d03afc1a72b2cfc40895150d3b0f4d9d4c355c79cdf364ace35eb8ebf15 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b4b6d4cc52b5a3a71149b1f33d94d5de |
| SHA1 | 97d3dbdd24919eab70e3b14c68797cefc07e90dd |
| SHA256 | da8c02ce00d5b1e6d4c3667465c7bbc14d7cd5227eb634f3d9690afd488267fe |
| SHA512 | fc894f03709b83df7d2fca2779e1e60549078b67bcdbff0b61c8e5a802982210ae971309c1f92577573299288963ab5c95c6b38cbaedf53dc6062812c57a97af |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 22310ad6749d8cc38284aa616efcd100 |
| SHA1 | 440ef4a0a53bfa7c83fe84326a1dff4326dcb515 |
| SHA256 | 55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf |
| SHA512 | 2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-27 14:57
Reported
2025-01-27 15:00
Platform
win10ltsc2021-20250113-en
Max time kernel
150s
Max time network
141s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\wininit.exe | N/A |
Executes dropped EXE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
C:\Users\Admin\AppData\Local\Temp\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\wininit.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/3548-0-0x00007FFBB3263000-0x00007FFBB3265000-memory.dmp
memory/3548-1-0x0000000000B30000-0x0000000000B7E000-memory.dmp
memory/3548-2-0x0000000002BD0000-0x0000000002BF0000-memory.dmp
memory/3548-3-0x00007FFBB3260000-0x00007FFBB3D22000-memory.dmp
memory/4528-4-0x00007FFBB3260000-0x00007FFBB3D22000-memory.dmp
memory/4528-10-0x0000026E4CB30000-0x0000026E4CB52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m1d05gsp.0ia.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4528-17-0x00007FFBB3260000-0x00007FFBB3D22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wininit.exe
| MD5 | 40423a099938afe0b1f39a1317049914 |
| SHA1 | f54513aa10b40f8f4eb2f1df73680bd34750c9b3 |
| SHA256 | fdabe139cac0f7474c8d1ab0b0436e56c17a765a8b80ba4651d23d3e5188868e |
| SHA512 | 84745d42d2c309f4c2b992a77ea65ab3fb8fa89aaa749c7404db1d6fc1d5439a91068397753be26e887b1a73ec852a57499e9f2896bcf6c67d67d337d0a7ff77 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log
| MD5 | 11c6e74f0561678d2cf7fc075a6cc00c |
| SHA1 | 535ee79ba978554abcb98c566235805e7ea18490 |
| SHA256 | d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63 |
| SHA512 | 32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0 |
memory/3548-21-0x00007FFBB3260000-0x00007FFBB3D22000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3eb3833f769dd890afc295b977eab4b4 |
| SHA1 | e857649b037939602c72ad003e5d3698695f436f |
| SHA256 | c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485 |
| SHA512 | c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 60b3262c3163ee3d466199160b9ed07d |
| SHA1 | 994ece4ea4e61de0be2fdd580f87e3415f9e1ff6 |
| SHA256 | e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb |
| SHA512 | 081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 014f71a6acded9d2985322a79aa49202 |
| SHA1 | 622c887c223d4807b6fff00bcec733f29d3070c4 |
| SHA256 | 2706f51a2e6b15845205415791c33cc03c21aaa7421c46f5651df06d81f76d19 |
| SHA512 | 199dadd2b954b9f27e7290bf1f383c476ad2d93883243aa86d23408d016006ac4d39993bd3aa4b6d93a828aecafd66dd8ef431dca5d3c98b5fd86b4c96cb3a56 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 32be9b13143c056a85df7bf948ae4778 |
| SHA1 | 36baf529bc3a034344d8d2fe2d82c814c53e8b6c |
| SHA256 | f896b3276cb29751b872e4e37e970a87be7be09b0986331b36a0d8a431a144a5 |
| SHA512 | 6cdf4448008f8a2903857e173e87af20ca0e5169c7da477c3eb4d2549b82d588550951b2edc7478d4efacbea7414f89d67b0fa841c26c81df7286f0d4c5798a1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b30de5b2849cb8d47cff3cfb14c07042 |
| SHA1 | f7a0926c5b66764781f6f1c67d0998a5cf6f8c1b |
| SHA256 | 0f689471b13781d813f2a574b2f74c5b64d76671fcd5eeb6b0fe3c62ab5d5bfb |
| SHA512 | bbed0b097ae4e55e6778bf789cff72bab33a3a0f14a42f1f06755a493bb64463a9ede2630498ba1db96fb6a82db4c75259ebe74caea00ced1f13cacd6c91fdfe |
memory/4616-70-0x000002CB2C220000-0x000002CB2C43D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 90a19c0a9453ec7d2ac5b96e9722e33d |
| SHA1 | d69e69579a03de487f1e5195036d800a9f67c56a |
| SHA256 | 3d0c40485131be80596e77d24983d05891ff2215aa68d66209b9c71cee01ea09 |
| SHA512 | f6fa2573e6b3863f4bf21ad43498aacc453e6644e2b7564354d6e88022384fc12226154b15a52610b97c0a824dc2ebd8f61bb441a60a971b1b73694f94a8245b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 438f7ee10c8a4d22dc7c15abb572fc65 |
| SHA1 | 75fb1bcac3f8311987a62f14312e2dccf25cc339 |
| SHA256 | 8d572eefdc4eb4dfa7e71c40d0f6d8d0739ca917c7779ad20359b36f9ff43234 |
| SHA512 | 4c0cf5f90bbc6b409fda1bd24fbdd44328add0f959b647dd443c0f0d25b4688fe6afa2051dc58ac4017da21d6ed27ec0db892b9ff4e7852d78af1b94cb221035 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c0a5b34cdf29c042e6b0c7d65de3cd06 |
| SHA1 | 41b952102b4d5016ac1cd756150994c9a795f29c |
| SHA256 | 7df59ac6513468fcf70a53bbc3879337add75de09a170937211fa194590d7014 |
| SHA512 | de56b2a8fc2293d99bc9d24a34ee40b6f44d8ad86d60dd8cdb757a40f155400e139a80b81d0379bf45e754dc2f29b4b7fc49a510806a592235a6a0b64cd8d3f5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 648812e0a09d54e539e0de3d47839ab1 |
| SHA1 | 5d3da316723063206acbbcb0a692f641e2df4e53 |
| SHA256 | 487b4b8ebe1cf2b23a12a2d5b9d597af294f0807b7ba8eaeea0f8e33d25c4414 |
| SHA512 | 6a06c9faa23cb04a05fec92d2c9a4323d63afab02d51cb826093b631e55cb8bd331963c373eaf972b6cfdabffc25eddc97be5398469430b18c49cdbae0cf194e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | db7d060719f9d7de5f776f57b90813ee |
| SHA1 | c01908627494af508b42df47723dd3761819eb6a |
| SHA256 | ac5a19ff1c63a954ffb01b424dc0acd201466df4a23da33602518cfe11d63860 |
| SHA512 | 3dde090300589475d84d332eab3e5345a4b4c88da6762ccb022cb2f47e9627b5deee2e6a0b8249d336046288497bdc8ccf772cce22a734dfe213fec03880b98c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c44c13ac6a42236ec689a219adab8d1a |
| SHA1 | 1bd2631b8fb9ce465aa6eb15978823ee1cd970f6 |
| SHA256 | fb90c6fec3d817f12b716051ac54bfac9bcd9df766ec8a1e717d533e01550487 |
| SHA512 | 949df079edbd9e9e73a2be84ded84eee992f04ae6a62eb8cc257b23cf5d9772b9ab016148eb3c27440aa2a636acaf21f6c1593a03b42b8eb0c3143fdd24c2f45 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 75ae08a4a068b23ce626d07e9f3788aa |
| SHA1 | a32274e443918e1a3c70cc2d60fab562be0a8fe8 |
| SHA256 | d43e73ad55648e865173cf4552cf1f812d299c5d58f8cdc83a2f10365633840d |
| SHA512 | 0597f93a8ed7e7fbabdb0d088723a0b8d4e6277c65e3d732bd593930dfb8d454cbba7a483f1173fe63ec3f548ece1825e312876a5ec4569d54b0bef12f2196d6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1771f6251d2757dc5e8ed002029e35e5 |
| SHA1 | 871c6950788ff5779ed84e89593683e1a4f5629f |
| SHA256 | d34917f13ae4b2e8eefda80e46b0e97e0acc1dab6e3e3c1b93b869cb53a77be4 |
| SHA512 | 3512b17367ceaa609b57718aea88515eb53d5a8cfb37879bccfc40794df3f9e2fe9e3e454fc8a756e2d7154ff901f35c5141b6ff5ca5ba0a1743a260cd13a3a1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 155d3b9f05828b294af8ae906ee2180f |
| SHA1 | 453e8f2b366a57e060a6ddb1f2a07d39d18e8139 |
| SHA256 | e3b8d71be31550e2568669257922af8666002d64ba9bc7e2f12d4d6bcd1c1d51 |
| SHA512 | 177053a12a46e3c6ede47d577fbda6a54dfa581b65e99f67280f05c222627ee83024703784da18bfecb43438700cee3281ea6c9d136bd34a0c9940373709f5ff |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3166af632810a02e6d427c3554f251f5 |
| SHA1 | e6f99f9ac43ef3c2d86144b09b43315ac78b1188 |
| SHA256 | 3db0b1610a167e570ca00c0714b36e0e872851ffc09765797674e06302290355 |
| SHA512 | 30f4fe4866053aaeb511f58abcfda32b06bac234e2592e8e8ecb4117edc3aa1b756fc8bf33bf338ec550575eef048f84cdd0dad96861ad0ab0fc05f4dd80bc56 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7042051318ea057f67f377da796744bc |
| SHA1 | d474fe023ab765861b4ccaf7e8c1aca65d101360 |
| SHA256 | 3e3b6c418aa35efdcae9bf4349543b26cefa3ba00d1acc163296007dc99c5a10 |
| SHA512 | bb2cc212affe3424489126574fd25d65b18eece069ae75cc547776d0c81e46741fcab016be6f4ae5ac7a3d7e34ce9dd4f9dbecabb2790412dfba42065df93905 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d12bf0977e627c7b7f0a3b7592d68397 |
| SHA1 | b6bb910a4a2c554d9df0de4d691ec4e5e54c36bb |
| SHA256 | 8256f2f7bfc45a2c3829e2d80e064f23953dcca670fe5a86ec09c822c895dabe |
| SHA512 | 01367196d606710f73ea36216d57262b4efa612fde0c55e280607076e762f85963f3584b241bc4e67cba7fd53f6a59571378ebd116e5f1a8c824082976c86c7b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 11d2c775b6d50ed94b01f5d20be33ff0 |
| SHA1 | b3100ef2d19d1d631d3a7316e723237f1cc38d84 |
| SHA256 | 32a71041ac4e85cb23b098ea34f38aa110a60f9e3af9d0a94e28e54c99d3a90b |
| SHA512 | c23c01c60ff6a781bb8671f4868770246a0785102173249c850c2ce1d5daea768fd62af88af7a8849656d8f6a8299a6ed5df664cd948c0e92c8051bfa461a138 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 08b59cf8e2e3a929ea95184bf5aa591a |
| SHA1 | 4f515ff72e582be6122d1642996c1e575c515e2b |
| SHA256 | dc31980e5e8823ff48fd4c1e8fec022358d874c21d3ba766c64fae24ad3aeeeb |
| SHA512 | c1af66be8dfaaf2ab50487e77438f9d78bca794fd3e2378cd4f4fb67b4038a02f606b9e8258c29cf0988400b72b903bf3d403b0b6c47c2bc87f4702d644eab71 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b2baf0ab0d2d6efba1e300590c4b7cd3 |
| SHA1 | 7e8197c8374831f27e79631f0450f00d27256410 |
| SHA256 | d429c9f0dacf515041d679d92c946b2964523ca983f155d595a302b096fabbff |
| SHA512 | f672fd2457740ab6cf23ced8430d3ed78dc6aeb1ec92a34dbd2c8f1bc82b2a35d0dd18712a8a17e68992218eb77af9faddd8032b94566bafc0db0972c442b155 |
memory/4212-263-0x0000020B7E9D0000-0x0000020B7EBED000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0351b6d5385995efd8f0f96e10779d90 |
| SHA1 | 1503b8b19f80adf6ff439b97825adc798b5025d5 |
| SHA256 | cfa345952ebffdddb214c2f7da3b33515841602a93173f9635c9513a6cad685d |
| SHA512 | 80be5424fc5e3eec6ff41475b05d03b75c80de5f6477c9084f9da374b7197056a84432c17e8cb77e9d3c08fbd01f9fca9c6b4859e2f984d4de70ce704b855cae |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9a194f191956e9bf257c5b594e7a994a |
| SHA1 | 46dd61af2c025a8b3c74017d56d309154e6a1efc |
| SHA256 | fe8468f17b76f055c7f4fddf99d2ef65306cc96758f74aee40b7d483472fdf59 |
| SHA512 | 2134edf7e90fe0a3cb57ac79276ee1055f4050027f87481864cedeadeccee10b743f15bb4afed867bc9d23144b1c2e80ac8ca22effcc4bfc9d3aa8dfe4891d3b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bcf3a97d5c08d9a1e73abd942c8f0f29 |
| SHA1 | adc0022f83a5e99e5299548ac28fb094ba69fed3 |
| SHA256 | 781fa6aa6402275ae385a156ad65c1889381c14dfc71eff0b563c3524dea119d |
| SHA512 | a2dd595ca3fba27d01c135d3c6ab035391dc7d802c2018f7466d1ff7b78b4f407a6d60a403d98ee0342fbd5074f47e73f9941bb956b93ac573cb980b8cf0fe4b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | da3bd2dcb9080852c2dac79da67892de |
| SHA1 | a19d48083e260e06b88f97ddb72f33a914e29304 |
| SHA256 | 8a4ebcd2e1d20b7fbffa9ac4f2c7561dd692c277b0f3ce438952777b3f69cab4 |
| SHA512 | 8a670abecb5609aca7dd66423740e4c5798f12f59a9258b1bc0f64cbc25a4f9cd4f8143bca2291023ca011dab9f7f771d0960787e8abe42ef8e742c6d0098d57 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 981674e0dba72b7979ab34685f90601d |
| SHA1 | 0c26c40f5049e8f157ee79d00795f7dcfc339cf7 |
| SHA256 | b851f5a0ad0f4d785bae0507529b59d2ef322c9abe3af6b7c22066a256f13627 |
| SHA512 | 4e14ca11c16f0a07f376b5a6debb9b018d1ebf7068cbb1b69f69aaf8b0e83c28aa428b4f796aa9844c1dde690536e9f95bdb11b63fa06f058cc3cc7218c743d9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3726ddfd0b78d84ff1238805dd057c46 |
| SHA1 | d659e588d74ebceae1d1314094bf4a2b5e503ca4 |
| SHA256 | bebe6c87c970f73beb977e6d93a2249b15e08a1ca01ae0f35a666a9030512cb5 |
| SHA512 | 3ad071f31234f93549f79c6a7687cf560cfa0f51351fd8a17c0ec9eca14f4ee420c0afd4b2213bdeb4c20d620b7e7dd71ff59580150c35c002e638717bee12ed |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5a5599171bd8146c5c047514d62f9591 |
| SHA1 | edbc64f8a189733dcc337f00888783d633e89cfa |
| SHA256 | 29aa2d778ebb775c577a763da4c970a0baa4f58d4683a4d02e1efd1360ade32f |
| SHA512 | 42b60a33720bfc35c55b5bcf38ac787eaba2efd8987ecc69863dc7304aef84b601d0509f42e7b20947b6b14497de9b506e15d48ff427e1fbea00776db54118df |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 78c5ac9ea38da78fe922d8e63fae9642 |
| SHA1 | ef39e7c9c49f25b260154948ad98961d660b477a |
| SHA256 | 483ca85be941c917e284bc3b14f770a00580978e1e2edd326aaf0facc3d5fb68 |
| SHA512 | f6c75b9f6f7d715e2c70cc63073f74cb771c942582a2cd70bd50f764c173a41a9d32d1dce412f0aa008bd54cbfeb0c642744848e926979a35f196e90757ec68a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 273760112f1f2e60426631713dc50319 |
| SHA1 | 3c1e9b5b5a7934720ae53ef6e844387860dd1e51 |
| SHA256 | 057dc9b8f7c35b6fb55f8a2618fb75057ada88a95629c4414ed67e9fc2542247 |
| SHA512 | 17d5f6244bf7e892b9b22c3ed72d44cc794e630e075038ea51c3e680298fb7110937416c741bd114431386eafa4fa41d8cec6b66515ca43b9ddf4d57cf0c5317 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fffbe9f75db9bf26859b39ecd64372eb |
| SHA1 | 836a1d21d489ade22ceaf4a82a14cc3ae6f5dd8c |
| SHA256 | c222ea2d80f67c34ffa17251230eaf77ae6f66668e88fbe33f90b24e826ba465 |
| SHA512 | 1ce78abc48dcf15ee2dfccacd4d49b47ce65eb77e6ab58469a52ad02de9a8b55f545e01e7953d0f1f873b573144d32110c16de056366889bb23780fa35d4c0de |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3cefd14c68b85c99cb30a11b9ad13241 |
| SHA1 | 173a2e157de2b9a6bc0f7d7cc86aeac4490ca4c2 |
| SHA256 | 8882af4b9244bf3122660023f7376385ab2d558de1c0c06904f2b4462d4b806b |
| SHA512 | 2a2a724b2eba645e68f5eab1d91b80b8a5a3830e719f17a7a1444fe64439fe01a31ac7dcb16ac10cd4f8b0d0849ece6c450d4de76c892a744a408dd649555163 |