0f12999db6a844d67fe861fbd02bebf31c97757f085426dd1e4d797586391820

Analysis

max time kernel
142s
max time network
188s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
25/02/2024, 12:20

Target

AutoGpuAffinity/bin/restart64/restart64.exe
Size

73KB
MD5

297aa19bade534a791d053ca190b74ad
SHA1

15cb6a33994f75fe9e30a2afbc8a7e4616b63962
SHA256

5f779bb822aedaf5bd11693cdf73f6c7c3342f37371a78c07c2aca1e15dbfd00
SHA512

df883950c598f31b81f22a68b2a9fed7459dcad5084ec6e39399658b0492bcc458d9fc5bb80fda6bc994bed3241f969fc67a0b8e021fb82b040455d64776c625
SSDEEP

1536:8vXMJl7uRupZzidl/T+Dnx86Rpy4roKsIrryeq3OTM:8vMJl6RAZu/T+7x8qpRM8rNcOTM

Score

5^/10

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2244	restart64.exe
Token: SeLoadDriverPrivilege	2244	restart64.exe
Token: 33	4172	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4172	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2244	restart64.exe

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\System32\perfc009.dat

Filesize
128KB

MD5
a9ae270f03cd818fc5ccb1fc114ed0f8

SHA1
57cfce4c18c0163fd41652ab89e4c51649eee492

SHA256
c08bb34abb284c2fb15d4372c2c3c2387f71ebeb920be89c9079e96c7a4ca3ec

SHA512
5fa35050038e187b0be9547ff86e49aa5272a273eefb83472758da5b818e4e86eba254422b4524fb7a4bd66bd5c3ae210162cab1247b601ea1a3fc6454703ef0

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
686KB

MD5
efeeda97e31eb12669293d78feaff451

SHA1
f3680730a9ed165f49be4a2b1be8477196f15afb

SHA256
a0ae9b96680526dd73b3469504eaeb3882c655e3f4557b9e120de1ddd8edb834

SHA512
452da0e9a2c17de87d5a0db150acf299310d684c50c4f16daa5f1c298267d76d990000a0bf4e5ffb2afe5769e74bfcdf351e8d68b933a432a9130cdcdd81f1b2

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h

Filesize
3KB

MD5
b133a676d139032a27de3d9619e70091

SHA1
1248aa89938a13640252a79113930ede2f26f1fa

SHA256
ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

SHA512
c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
29KB

MD5
ffdeea82ba4a5a65585103dd2a922dfe

SHA1
094c3794503245cc7dfa9e222d3504f449a5400b

SHA256
c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390

SHA512
7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a

Download Submit