b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46

Analysis

max time kernel
139s
max time network
29s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 16:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
Size

105KB
MD5

6eb399013bf58679dcbfb3c184509213
SHA1

18bd15efa52dbb99c7a7e997e36667d87c0caa48
SHA256

b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46
SHA512

3f45bab85413b733ecba45617bdf392b6f6e0cf028f285fce8c28317069ee60fdbde39e345851fa3350c14dbcf4b92326b950aaaf52c49f205a3c989ffb12566
SSDEEP

1536:EyqrQrFUH+HtWXiaAkc//////4KCCai/iZ72rHp/pOiqms1zLaqOiQMaz/iE0f:SqOHjyAc//////jCCLi+Jz1GaqdZazjg

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
516	bitsperf.exe
1704	bitsperf.exe
340	bitsperf.exe
1952	bitsperf.exe
1928	bitsperf.exe
916	bitsperf.exe
1732	bitsperf.exe
764	bitsperf.exe

Modifies Installed Components in the registry 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\bitsperf.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\bitsperf.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\bitsperf.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\bitsperf.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\bitsperf.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\bitsperf.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\bitsperf.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\bitsperf.exe /i"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}\StubPath = "C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\system32\\bitsperf.exe /i"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}	reg.exe

Loads dropped DLL 8 IoCs

pid	Process
1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
516	bitsperf.exe
1704	bitsperf.exe
340	bitsperf.exe
1952	bitsperf.exe
1928	bitsperf.exe
916	bitsperf.exe
1732	bitsperf.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\_Setup.bat	bitsperf.exe
File created	C:\Windows\SysWOW64\_Setup.bat	bitsperf.exe
File created	C:\Windows\SysWOW64\c_l2657.nls	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
File created	C:\Windows\SysWOW64\_Setup.bat	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
File created	C:\Windows\SysWOW64\bitsperf.exe	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
File created	C:\Windows\SysWOW64\_Setup.bat	bitsperf.exe
File created	C:\Windows\SysWOW64\_Setup.bat	bitsperf.exe
File created	C:\Windows\SysWOW64\_Setup.bat	bitsperf.exe
File created	C:\Windows\SysWOW64\_Setup.bat	bitsperf.exe
File created	C:\Windows\SysWOW64\_Setup.bat	bitsperf.exe
File created	C:\Windows\SysWOW64\_Setup.bat	bitsperf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1260 set thread context of 2040	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	29

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
516	bitsperf.exe
1704	bitsperf.exe
340	bitsperf.exe
1952	bitsperf.exe
1928	bitsperf.exe
916	bitsperf.exe
1732	bitsperf.exe
764	bitsperf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2040	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2012	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	28
PID 1260 wrote to memory of 2012	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	28
PID 1260 wrote to memory of 2012	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	28
PID 1260 wrote to memory of 2012	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	28
PID 1260 wrote to memory of 2012	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	28
PID 1260 wrote to memory of 2012	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	28
PID 1260 wrote to memory of 2012	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	28
PID 1260 wrote to memory of 2040	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	29
PID 1260 wrote to memory of 2040	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	29
PID 1260 wrote to memory of 2040	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	29
PID 1260 wrote to memory of 2040	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	29
PID 1260 wrote to memory of 2040	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	29
PID 1260 wrote to memory of 2040	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	29
PID 2012 wrote to memory of 1148	2012	cmd.exe	31
PID 2012 wrote to memory of 1148	2012	cmd.exe	31
PID 2012 wrote to memory of 1148	2012	cmd.exe	31
PID 2012 wrote to memory of 1148	2012	cmd.exe	31
PID 2012 wrote to memory of 872	2012	cmd.exe	32
PID 2012 wrote to memory of 872	2012	cmd.exe	32
PID 2012 wrote to memory of 872	2012	cmd.exe	32
PID 2012 wrote to memory of 872	2012	cmd.exe	32
PID 1260 wrote to memory of 516	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	33
PID 1260 wrote to memory of 516	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	33
PID 1260 wrote to memory of 516	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	33
PID 1260 wrote to memory of 516	1260	b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe	33
PID 516 wrote to memory of 1036	516	bitsperf.exe	34
PID 516 wrote to memory of 1036	516	bitsperf.exe	34
PID 516 wrote to memory of 1036	516	bitsperf.exe	34
PID 516 wrote to memory of 1036	516	bitsperf.exe	34
PID 516 wrote to memory of 1036	516	bitsperf.exe	34
PID 516 wrote to memory of 1036	516	bitsperf.exe	34
PID 516 wrote to memory of 1036	516	bitsperf.exe	34
PID 1036 wrote to memory of 1888	1036	cmd.exe	36
PID 1036 wrote to memory of 1888	1036	cmd.exe	36
PID 1036 wrote to memory of 1888	1036	cmd.exe	36
PID 1036 wrote to memory of 1888	1036	cmd.exe	36
PID 1036 wrote to memory of 992	1036	cmd.exe	37
PID 1036 wrote to memory of 992	1036	cmd.exe	37
PID 1036 wrote to memory of 992	1036	cmd.exe	37
PID 1036 wrote to memory of 992	1036	cmd.exe	37
PID 516 wrote to memory of 1704	516	bitsperf.exe	38
PID 516 wrote to memory of 1704	516	bitsperf.exe	38
PID 516 wrote to memory of 1704	516	bitsperf.exe	38
PID 516 wrote to memory of 1704	516	bitsperf.exe	38
PID 1704 wrote to memory of 380	1704	bitsperf.exe	39
PID 1704 wrote to memory of 380	1704	bitsperf.exe	39
PID 1704 wrote to memory of 380	1704	bitsperf.exe	39
PID 1704 wrote to memory of 380	1704	bitsperf.exe	39
PID 1704 wrote to memory of 380	1704	bitsperf.exe	39
PID 1704 wrote to memory of 380	1704	bitsperf.exe	39
PID 1704 wrote to memory of 380	1704	bitsperf.exe	39
PID 380 wrote to memory of 1092	380	cmd.exe	41
PID 380 wrote to memory of 1092	380	cmd.exe	41
PID 380 wrote to memory of 1092	380	cmd.exe	41
PID 380 wrote to memory of 1092	380	cmd.exe	41
PID 380 wrote to memory of 1592	380	cmd.exe	42
PID 380 wrote to memory of 1592	380	cmd.exe	42
PID 380 wrote to memory of 1592	380	cmd.exe	42
PID 380 wrote to memory of 1592	380	cmd.exe	42
PID 1704 wrote to memory of 340	1704	bitsperf.exe	43
PID 1704 wrote to memory of 340	1704	bitsperf.exe	43
PID 1704 wrote to memory of 340	1704	bitsperf.exe	43
PID 1704 wrote to memory of 340	1704	bitsperf.exe	43
PID 340 wrote to memory of 972	340	bitsperf.exe	44

C:\Users\Admin\AppData\Local\Temp\b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
"C:\Users\Admin\AppData\Local\Temp\b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\_Setup.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\bitsperf.exe /i" /f
    3⤵
    - Modifies Installed Components in the registry
    PID:1148
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /f
    3⤵
    PID:872
- C:\Users\Admin\AppData\Local\Temp\b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
  C:\Users\Admin\AppData\Local\Temp\b53ea94ec4269c0a45f87238e674a7ec96891c1ece6293a39c7daeb2bc198e46.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2040
- C:\Windows\SysWOW64\bitsperf.exe
  C:\Windows\system32\bitsperf.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\system32\_Setup.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\bitsperf.exe /i" /f
      4⤵
      Modifies Installed Components in the registry
      PID:1888
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /f
      4⤵
      PID:992
- - C:\Windows\SysWOW64\bitsperf.exe
    C:\Windows\system32\bitsperf.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\system32\_Setup.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:380
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\bitsperf.exe /i" /f
        5⤵
        Modifies Installed Components in the registry
        
        PID:1092
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /f
        5⤵
        
        PID:1592
  - - C:\Windows\SysWOW64\bitsperf.exe
      C:\Windows\system32\bitsperf.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:340
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\system32\_Setup.bat
        5⤵
        
        PID:972
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\bitsperf.exe /i" /f
        6⤵
        Modifies Installed Components in the registry
        
        PID:316
      - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /f
        6⤵
        
        PID:2004
    - - C:\Windows\SysWOW64\bitsperf.exe
        
        C:\Windows\system32\bitsperf.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1952
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\system32\_Setup.bat
        6⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\bitsperf.exe /i" /f
        7⤵
        Modifies Installed Components in the registry
        
        PID:1728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /f
        7⤵
        
        PID:876
      - C:\Windows\SysWOW64\bitsperf.exe
        
        C:\Windows\system32\bitsperf.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\system32\_Setup.bat
        7⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\bitsperf.exe /i" /f
        8⤵
        Modifies Installed Components in the registry
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /f
        8⤵
        
        PID:748
        
        C:\Windows\SysWOW64\bitsperf.exe
        
        C:\Windows\system32\bitsperf.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\system32\_Setup.bat
        8⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\bitsperf.exe /i" /f
        9⤵
        Modifies Installed Components in the registry
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /f
        9⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\bitsperf.exe
        
        C:\Windows\system32\bitsperf.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\system32\_Setup.bat
        9⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\bitsperf.exe /i" /f
        10⤵
        Modifies Installed Components in the registry
        
        PID:772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /f
        10⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\bitsperf.exe
        
        C:\Windows\system32\bitsperf.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Windows\system32\_Setup.bat
        10⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /v StubPath /t REG_SZ /d "C:\Windows\system32\cmd.exe /c C:\Windows\system32\bitsperf.exe /i" /f
        11⤵
        Modifies Installed Components in the registry
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{V8Q50J4N-0H95-CKB2-KEUT-890K56DZ655S}" /f
        11⤵
        
        PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\_Setup.bat

Filesize
354B

MD5
6b2f36cfc32fdb91e0b0fa455508c55d

SHA1
82e4583ad2e710c6d95884b959c6f66bd85f7e9c

SHA256
7b3cecfc594950dab6e6816653adbd6b0ec10ea993f4cad725173234a18c6904

SHA512
0d46c8251e317b5003cc3d8152da27b9fd1b3c4faa3ec4d14299169baa12c361a1184fad4ddba71f41de80023d9d7c3623a620e82a863b5f39d9832980b50c62

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
354B

MD5
6b2f36cfc32fdb91e0b0fa455508c55d

SHA1
82e4583ad2e710c6d95884b959c6f66bd85f7e9c

SHA256
7b3cecfc594950dab6e6816653adbd6b0ec10ea993f4cad725173234a18c6904

SHA512
0d46c8251e317b5003cc3d8152da27b9fd1b3c4faa3ec4d14299169baa12c361a1184fad4ddba71f41de80023d9d7c3623a620e82a863b5f39d9832980b50c62

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
354B

MD5
6b2f36cfc32fdb91e0b0fa455508c55d

SHA1
82e4583ad2e710c6d95884b959c6f66bd85f7e9c

SHA256
7b3cecfc594950dab6e6816653adbd6b0ec10ea993f4cad725173234a18c6904

SHA512
0d46c8251e317b5003cc3d8152da27b9fd1b3c4faa3ec4d14299169baa12c361a1184fad4ddba71f41de80023d9d7c3623a620e82a863b5f39d9832980b50c62

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
354B

MD5
6b2f36cfc32fdb91e0b0fa455508c55d

SHA1
82e4583ad2e710c6d95884b959c6f66bd85f7e9c

SHA256
7b3cecfc594950dab6e6816653adbd6b0ec10ea993f4cad725173234a18c6904

SHA512
0d46c8251e317b5003cc3d8152da27b9fd1b3c4faa3ec4d14299169baa12c361a1184fad4ddba71f41de80023d9d7c3623a620e82a863b5f39d9832980b50c62

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
354B

MD5
6b2f36cfc32fdb91e0b0fa455508c55d

SHA1
82e4583ad2e710c6d95884b959c6f66bd85f7e9c

SHA256
7b3cecfc594950dab6e6816653adbd6b0ec10ea993f4cad725173234a18c6904

SHA512
0d46c8251e317b5003cc3d8152da27b9fd1b3c4faa3ec4d14299169baa12c361a1184fad4ddba71f41de80023d9d7c3623a620e82a863b5f39d9832980b50c62

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
354B

MD5
6b2f36cfc32fdb91e0b0fa455508c55d

SHA1
82e4583ad2e710c6d95884b959c6f66bd85f7e9c

SHA256
7b3cecfc594950dab6e6816653adbd6b0ec10ea993f4cad725173234a18c6904

SHA512
0d46c8251e317b5003cc3d8152da27b9fd1b3c4faa3ec4d14299169baa12c361a1184fad4ddba71f41de80023d9d7c3623a620e82a863b5f39d9832980b50c62

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
354B

MD5
6b2f36cfc32fdb91e0b0fa455508c55d

SHA1
82e4583ad2e710c6d95884b959c6f66bd85f7e9c

SHA256
7b3cecfc594950dab6e6816653adbd6b0ec10ea993f4cad725173234a18c6904

SHA512
0d46c8251e317b5003cc3d8152da27b9fd1b3c4faa3ec4d14299169baa12c361a1184fad4ddba71f41de80023d9d7c3623a620e82a863b5f39d9832980b50c62

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
354B

MD5
6b2f36cfc32fdb91e0b0fa455508c55d

SHA1
82e4583ad2e710c6d95884b959c6f66bd85f7e9c

SHA256
7b3cecfc594950dab6e6816653adbd6b0ec10ea993f4cad725173234a18c6904

SHA512
0d46c8251e317b5003cc3d8152da27b9fd1b3c4faa3ec4d14299169baa12c361a1184fad4ddba71f41de80023d9d7c3623a620e82a863b5f39d9832980b50c62

Download Submit
C:\Windows\SysWOW64\_Setup.bat

Filesize
354B

MD5
6b2f36cfc32fdb91e0b0fa455508c55d

SHA1
82e4583ad2e710c6d95884b959c6f66bd85f7e9c

SHA256
7b3cecfc594950dab6e6816653adbd6b0ec10ea993f4cad725173234a18c6904

SHA512
0d46c8251e317b5003cc3d8152da27b9fd1b3c4faa3ec4d14299169baa12c361a1184fad4ddba71f41de80023d9d7c3623a620e82a863b5f39d9832980b50c62

Download Submit
C:\Windows\SysWOW64\bitsperf.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\bitsperf.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\bitsperf.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\bitsperf.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\bitsperf.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\bitsperf.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\bitsperf.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\bitsperf.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\bitsperf.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
C:\Windows\SysWOW64\c_l2657.nls

Filesize
946B

MD5
1ce6a14c9f24a64863fbacc371ee5c7c

SHA1
803ef6a0b61bc347135d0852e955a64bfba94e6f

SHA256
48051b9546a73018a7c56ce77b9200efb78afc46dbf0474964bf526de4ab42de

SHA512
61d114fae4c6238fb294173e532e923d2791022fc8f00cef0565883dafa7fb7079d61f797bf7c5462511dd8cd55172e246582f5c565942b04ce422aa2d3f3dc8

Download Submit
\Windows\SysWOW64\bitsperf.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
\Windows\SysWOW64\bitsperf.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
\Windows\SysWOW64\bitsperf.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
\Windows\SysWOW64\bitsperf.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
\Windows\SysWOW64\bitsperf.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
\Windows\SysWOW64\bitsperf.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
\Windows\SysWOW64\bitsperf.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
\Windows\SysWOW64\bitsperf.exe

Filesize
85KB

MD5
0b86acb2126228d3ae2211f19b1baa50

SHA1
e21c3b6893f3e1690205b7b5662f74a518331e12

SHA256
9712851a40a3028f474494d04c2aeb68e02376f0b0ca20f5bbe8bc3ecf9c7196

SHA512
2f13141993482f412ed14f1e6ec43fc62e767fd335bea52f6fdd09a70a0e63d6c64130a9e9ebdec20a7ab1936f672b33b336c4b757b2d6ff910b4c29b57022bd

Download Submit
memory/2040-66-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2040-60-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2040-57-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2040-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download