Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1800s -
max time network
1146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/12/2024, 20:21
Static task
static1
Behavioral task
behavioral1
Sample
Bawless Windows Cracked By Vidhayakji786.rar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Bawless Windows Cracked By Vidhayakji786.rar
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Bawless Windows Cracked By Vidhayakji786.rar
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral4
Sample
Bawless Windows Cracked By Vidhayakji786.rar
Resource
win11-20241007-en
General
-
Target
Bawless Windows Cracked By Vidhayakji786.rar
-
Size
102.1MB
-
MD5
99a1d2a905676cf0542c2a4d45e58d46
-
SHA1
35fac87f8ca98865b6dee79023fb1c55cb925f0d
-
SHA256
1801c0278583e34f09b0a202c83afbc6f2bb97ab0acb2932057a25e5eba597a6
-
SHA512
3b1027101ef2d18a83aabd399c5ae3432b30f9ce541635ed35d1708864c55f94054b013e1c19e5b681838698067c8d6d722c3f9cf4c8b74c5c4ea8be40da8737
-
SSDEEP
3145728:lp5yB7PXOvhxn3VGFEWDE6YorqEU+vhI9C:lpIB7PevhVVGbw5oex9C
Malware Config
Extracted
asyncrat
Bawless Remote
USGR6
127.0.0.1:15
7OZIOLO37
-
delay
0
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023d94-688.dat family_asyncrat behavioral2/files/0x0006000000000709-711.dat family_asyncrat -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions Bawless RAT Cracked By vidhayakji786.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions Bawless.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools Bawless RAT Cracked By vidhayakji786.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools Bawless.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Bawless.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Bawless.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Bawless RAT Cracked By vidhayakji786.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Bawless RAT Cracked By vidhayakji786.exe -
Executes dropped EXE 3 IoCs
pid Process 3664 Bawless RAT Cracked By vidhayakji786.exe 4544 Bawless.exe 1156 bawless-client.exe -
Loads dropped DLL 10 IoCs
pid Process 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Bawless.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Bawless.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Bawless RAT Cracked By vidhayakji786.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Bawless RAT Cracked By vidhayakji786.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bawless RAT Cracked By vidhayakji786.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bawless.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Bawless RAT Cracked By vidhayakji786.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Bawless RAT Cracked By vidhayakji786.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Bawless.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Bawless.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Bawless.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Bawless RAT Cracked By vidhayakji786.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Bawless RAT Cracked By vidhayakji786.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Bawless RAT Cracked By vidhayakji786.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Bawless.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Bawless.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\TypedURLs Bawless.exe -
Modifies registry class 42 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Bawless.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Bawless.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Bawless.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Bawless.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Bawless.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Bawless.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Bawless.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000 Bawless.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Bawless.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Bawless.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 Bawless.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff Bawless.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Bawless.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg Bawless.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Bawless.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Bawless.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 500031000000000047595c4e100041646d696e003c0009000400efbe47598e488e59e7a22e00000050e101000000010000000000000000000000000000007b531e01410064006d0069006e00000014000000 Bawless.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff Bawless.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff Bawless.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Bawless.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Bawless.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Bawless.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Bawless.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Bawless.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings Bawless.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "2" Bawless.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Bawless.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Bawless.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Bawless.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Bawless.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Bawless.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" Bawless.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Bawless.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 780031000000000047598e481100557365727300640009000400efbe874f77488e59e7a22e000000c70500000000010000000000000000003a000000000094f4210055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 Bawless.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 7e003100000000008e59eba211004465736b746f7000680009000400efbe47598e488e59eba22e0000005ae101000000010000000000000000003e00000000007eef5f004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 Bawless.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 Bawless.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Bawless.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Bawless.exe Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Bawless.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 Bawless.exe Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff Bawless.exe Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Bawless.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 3664 Bawless RAT Cracked By vidhayakji786.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe 4544 Bawless.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4544 Bawless.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 4952 7zFM.exe Token: 35 4952 7zFM.exe Token: SeSecurityPrivilege 4952 7zFM.exe Token: SeDebugPrivilege 3664 Bawless RAT Cracked By vidhayakji786.exe Token: SeDebugPrivilege 4544 Bawless.exe Token: SeDebugPrivilege 1156 bawless-client.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4952 7zFM.exe 4952 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4544 Bawless.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Bawless Windows Cracked By Vidhayakji786.rar"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4952
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1400
-
C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless RAT Cracked By vidhayakji786.exe"C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless RAT Cracked By vidhayakji786.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4916
-
C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless.exe"C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4544
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1584
-
C:\Users\Admin\Desktop\bawless-client.exe"C:\Users\Admin\Desktop\bawless-client.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\KVTUeGqEzCfMMgCNfCLmJoBNI\Bawless.exe_Url_wl1drc3hzlqeq1b2url3jsdxl3wgypy1\1.0.0.0\1oeur5zj.newcfg
Filesize563B
MD5ac7c413d12070d7844af4270c7ccff79
SHA1e6cb222e15928f5ee0e124c1a0aa0923eda17406
SHA256fffa6fab7b68811e32d9cfb42dc97a570a66819b15c46eb2a7193e9d4ca66525
SHA5121aa1629ac1b199e9952f993d7af3a8e5220448192fcdd4da031bac9b4a5cf928c0ab571b297f3a45f88a20ad3dd1388deb85877d1ca4278675f72c8341257faf
-
C:\Users\Admin\AppData\Local\KVTUeGqEzCfMMgCNfCLmJoBNI\Bawless.exe_Url_wl1drc3hzlqeq1b2url3jsdxl3wgypy1\1.0.0.0\fnnead2j.newcfg
Filesize443B
MD57f2d9e053c7c6e4acc60a127c371a4be
SHA1d99e121d9a1cead6ad8e812697d3dcbe4ccf6855
SHA2564ebc1c0126c41f300f54ef1fefb08771e11632f834e2c5471a1dcca6cd31c0fc
SHA5127d9296d2c6bac4c21952742c000b38e712a05a458b63849490871c5fb87aedb5c516ea057d423e8c8948284b678d3f8933af54867e9c5851d968d8959ee2a7eb
-
C:\Users\Admin\AppData\Local\KVTUeGqEzCfMMgCNfCLmJoBNI\Bawless.exe_Url_wl1drc3hzlqeq1b2url3jsdxl3wgypy1\1.0.0.0\user.config
Filesize443B
MD561d35914f64611a3d9cf9c152751e351
SHA1e5ab53c6c395989f788e16bb0fed28ddf8741eb2
SHA256143ef43526a3a3174a6f0f09088b0420c3e701bd129d772623f2c5019b025cd9
SHA512e5bc88b6b4242446fab31b2a52528cd9d28c77ff223041389c499c01db9c59979709eaca10975b27074609843a0fdc6d29913b4de3dff952cf5c925b3ad7c565
-
C:\Users\Admin\AppData\Local\KVTUeGqEzCfMMgCNfCLmJoBNI\Bawless.exe_Url_wl1drc3hzlqeq1b2url3jsdxl3wgypy1\1.0.0.0\user.config
Filesize443B
MD5a462759394e2447d9b8d33c8f1b5cfbf
SHA1211e0da9ad445338d9e8a466acfc172f9d599f97
SHA2565af02b76e1b467040c919992a9ecf4942c1cdf2b30b59772f87e61b9bb778268
SHA512608dea8eb27ae33611e2dcafd5024d9a3b49c2f1a3409aeb4fb255894519559db55238a376a695c58e1595f2c19f6285b11d4abe258bb5e0421994b163112d1d
-
C:\Users\Admin\AppData\Local\KVTUeGqEzCfMMgCNfCLmJoBNI\Bawless.exe_Url_wl1drc3hzlqeq1b2url3jsdxl3wgypy1\1.0.0.0\user.config
Filesize323B
MD5f9386d27234e43fe47b6795942a7a8ff
SHA14191f495d7abac1cdac478ce50fddbbbfebe723e
SHA256b546a456ef0590f41e1c61682380b4997e9d0b7216b3092bf598c14dd2b128bf
SHA51296b9aedbe5bc6c7cf7317eb05ac355ae2caed8480425b31012e0c95f62f02db65c6412f10596d187d880a98572cf43e2f5cd70b73f6074efb21af78e834ec498
-
C:\Users\Admin\AppData\Local\KVTUeGqEzCfMMgCNfCLmJoBNI\Bawless.exe_Url_wl1drc3hzlqeq1b2url3jsdxl3wgypy1\1.0.0.0\user.config
Filesize443B
MD5e638c22bea6f9e94ff8a7fd911b116b3
SHA1af544cf8769ddb610290010c01f7c242857ae558
SHA256250571b222424f8f70bc7264b918d14705de15323bd2266286374735bd66a2c8
SHA512715f68cfc2cf2aebb9be455598b1046389484d41d31c3f78f138ec33bfc9a6010b903db5c3eac8eb6d54a887eb7d2a571b396232efcca688d9ad834efe9d70f2
-
C:\Users\Admin\AppData\Local\Temp\7zE85396AE7\Bawless Windows Cracked By Vidhayakji786\Logs\Ookii.Dialogs.dll
Filesize126KB
MD5c43d1d849935bd82fc577155dba84af0
SHA1edc34ad456dc57979078b62373bf865e694a9666
SHA2563e09f4104fc86a3ec4d6a600269d99c78485fa8b00726b19c7abf7a27eedbce1
SHA5128a40199d220f55b28e13398472af12dbaca926603c778750c6a645ae92a9aea73b9f3b00e016ec81793420fa29f146b33f86dd6676652a55ce6d1eb61824c04a
-
C:\Users\Admin\AppData\Local\Temp\7zE85396AE7\Bawless Windows Cracked By Vidhayakji786\Logs\ProgressControls(4).dll
Filesize12KB
MD5c57a6c026cd6ea2870b83a423e6de4eb
SHA14177bd227f4bed55c7715091c7117f210650343d
SHA25686d3053ad9366fef9ada575c9a4898ee5ac62067f1fa4c5914831f26b4dc9642
SHA51286bcfa9a1f3dfe2356f1589f01873a4ca09e262e881dd97ec0028cd674332e0b9ab4129716e7bd4b810fccb59608e067e5ab56783e63e0b222f4821581073063
-
C:\Users\Admin\AppData\Local\Temp\7zE85396AE7\Bawless Windows Cracked By Vidhayakji786\Logs\vdump_03BF22DC.dll
Filesize12KB
MD50658acea2f429d6bd5f75eccb8149ab1
SHA194924ab49ac27a33d40d465ede34391f64e3cecb
SHA25670ef00516d8eb2d0650fbbba61f4edb785939e90c9d52a315f29b48f2c625e9d
SHA51271e920d50343399cb39d29d9ec51ebf33bfbd0cf28663740220979b2974c047b1a1c47d431f04b2df0a6139b162463a1542b3d12c94691c1988cedd4ed67fe21
-
C:\Users\Admin\AppData\Local\Temp\7zE85396AE7\Bawless Windows Cracked By Vidhayakji786\Logs\vdump_0C7869D8.dll
Filesize126KB
MD533d7c1072648f75e50b99ed7b68afe44
SHA19fe80ddaf34a93eac09d76816d5b2051626dbe02
SHA25605a6a9ddc257ea82ec112db8a01eac70cadc7828e985c1cea4757b3b4c1f437b
SHA51286a9b32395738fba5ab6417497a79d933256e73b03d33627f886309513bfb6e968c10b8c536c95ba4f98f9bb1df7142bbb37cbdcfdcf5c6ffbf64cc27d340227
-
C:\Users\Admin\Desktop\Bawless Windows Cracked By Vidhayakji786\Bawless RAT Cracked By vidhayakji786.exe
Filesize14.7MB
MD57e228fdc2c17c3ef4ee02fcec4a4df7f
SHA1a5112a8cf9e6dac6bb7ad6767c9979600f581a7b
SHA256bd1ee9c456e4c08c4c8f184a8cb680b88dc444e231c855c850a4df2a9cb3aeb9
SHA5123f1871a01d097a241d7533819b51099870888607fb8a4b51b669357fedafc197f6dc2551328e7f920a3a245e6bec183e460865dc20240d9d54ff4936cbc29eb4
-
Filesize
3KB
MD57256166cbe820cf4b580ea75e30e1b0c
SHA160cbe96a43e827f4c110ea4ce9e1519d30a35625
SHA256f35535c7c7b47ec67f2250aba3176455d700e1c3cb108d6c078863e278cd0dc6
SHA512dfc3270104c602df33f5885ffb3c3d77fa8770ac1c84ee5717d2e11e52fc426f7d7e654c4f612c3facab46e8685d88d7ff923fca44b0c984b4317757eba6e2ad
-
Filesize
1.9MB
MD5c1789e4cf0b77749e0bef8f984f9cd6d
SHA1cdf9d3f1c45bf294380d59846ae26b9da8a65725
SHA256d590f05dc6980e4681243e68bda05b7da7952d75d4aa34963c1535f79c8fc060
SHA512e51e76476d5c46d467bbf92a25471e6525a8ea58a4cca7ee305b295b396cb53650169665979eac0ed9bebb38c74d62c03e2f3b29b70eb6eafaf9ba474fea33ca
-
Filesize
1KB
MD5b025a65a61c6e8967637c346f6687f14
SHA1b4a8ae31eb5518edc1b91079b966168f6af69202
SHA256dae1407390b2fa60074fe872ab49d9f0669fdfb6996660fb2145ee8b198cba94
SHA51254660d68e6c9d6e3fe5890977787c8396fed7744994255461ade1742d25aae226864b558658a0fedd749af4d94a85d16c21c2d7a006dc96c5ef362dd27908617
-
Filesize
63KB
MD56158c0682f86511060619bba0fe864be
SHA163a1738c87ba9449b1d572ee470da2b242742643
SHA2565bf4fc2c4d3115229d60511cad1af48019a4c291ad6144e73393e88e319f80a5
SHA512baef40b589d8717f419185ad0885173f790394827d72d78520890ae737c7ee1cebe3af062340847cfe705c223669562e7116f48ab11d59654653a0b269026bd1
-
Filesize
59KB
MD5008329249cc3e88aa1d6b89f409ccd13
SHA1ab8a5d055e9aef140a19534c718f9b9ab2c379b9
SHA256d5247c86c7402df8e64573e385ad7353f141dab59abc731fff3fe6a98a63e6b0
SHA51236fbcc915dbcf19f0067e1089741abbb1910786fd0601cc8662b0b5fe985accf55f89d226004e15570949895363eba65f0d9a04bfa31764da36c5648e58b5c35
-
Filesize
2.3MB
MD56d6e172e7965d1250a4a6f8a0513aa9f
SHA1b0fd4f64e837f48682874251c93258ee2cbcad2b
SHA256d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0
SHA51235daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155
-
Filesize
1.1MB
MD54d0b771879de85137ee7e5f0d4bb4b16
SHA1fc32cccd0cd5c3ebd968bcdf48e32a7ea25e9bd7
SHA256962332e8c8cb459fb2f7dacec5d7a618cc53b1b49bc1740156398c89742f43fd
SHA512bae39862ea07ebc5c9aa07a7333a880471baf4bf52eebedc03536e45584887eecc1075e0c0171229a54900ab93a66db9f666aa631c160912f538666da8c9e980
-
Filesize
65KB
MD5de9ba1703fd1f75a216f45a815632f13
SHA178cb4b4064cbbb0551f1216971c70f34313c2203
SHA256613313b7dc0b6d275aa3fa83a1692a914170a2ef9abd6109d65d73d7b92423b3
SHA5129e843fa11cb048893df6b66f6f752df3946853f242fdd9af852117ecac9dc53cf550d117c0f885ee75f4b38377f272411e40850b2505caf12002912e069a7842