146e60d8dc75128cfd31cd96f589e53224637b76473ebb64a920a4d9da0eccc2

Analysis

max time kernel
23s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Boostrapper.exe
Size

28.6MB
MD5

dce9cff74b9d9bab6a5986013aec628e
SHA1

b815990c20f978888cbf1d09a31f374423785d0b
SHA256

146e60d8dc75128cfd31cd96f589e53224637b76473ebb64a920a4d9da0eccc2
SHA512

a4cd1c4ebc9937b0f902660e067028cba11ae1a14332ea0948e74e9a270668ece765f0f1462d34ade757cc04ac634bdb171ff8b980b1a04f9bccca01a130411b
SSDEEP

786432:GhQiXgPQEErUlqsA3XTg5MS57vDACrv3Fqbqx:iQE89Ed3XTg5MS57v0eqbQ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	BOOSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	BOOSTRAPPER.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Boostrapper.exe

Executes dropped EXE 3 IoCs

pid	Process
1280	BOOTSTRAPPER.EXE
2036	BOOTSTRAPPER.EXE
3336	BOOTSTRAPPER.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 54 IoCs

Web Service

T1102

flow	ioc
125	pastebin.com
133	pastebin.com
68	pastebin.com
90	pastebin.com
92	pastebin.com
60	pastebin.com
102	pastebin.com
108	pastebin.com
122	pastebin.com
139	pastebin.com
115	pastebin.com
30	pastebin.com
69	pastebin.com
136	pastebin.com
22	pastebin.com
110	pastebin.com
126	pastebin.com
132	pastebin.com
134	pastebin.com
80	pastebin.com
15	pastebin.com
61	pastebin.com
81	pastebin.com
120	pastebin.com
16	pastebin.com
38	pastebin.com
116	pastebin.com
26	pastebin.com
47	pastebin.com
75	pastebin.com
105	pastebin.com
95	pastebin.com
17	pastebin.com
43	pastebin.com
52	pastebin.com
53	pastebin.com
89	pastebin.com
97	pastebin.com
14	pastebin.com
66	pastebin.com
79	pastebin.com
57	pastebin.com
71	pastebin.com
73	pastebin.com
88	pastebin.com
130	pastebin.com
25	pastebin.com
36	pastebin.com
41	pastebin.com
55	pastebin.com
109	pastebin.com
119	pastebin.com
65	pastebin.com
112	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boostrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOSTRAPPER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BOOSTRAPPER.EXE

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3052	ipconfig.exe
3520	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	BOOTSTRAPPER.EXE
Token: SeDebugPrivilege	1280	BOOTSTRAPPER.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 4072	4276	Boostrapper.exe	124
PID 4276 wrote to memory of 4072	4276	Boostrapper.exe	124
PID 4276 wrote to memory of 4072	4276	Boostrapper.exe	124
PID 4276 wrote to memory of 1280	4276	Boostrapper.exe	86
PID 4276 wrote to memory of 1280	4276	Boostrapper.exe	86
PID 4072 wrote to memory of 4692	4072	BOOSTRAPPER.EXE	88
PID 4072 wrote to memory of 4692	4072	BOOSTRAPPER.EXE	88
PID 4072 wrote to memory of 4692	4072	BOOSTRAPPER.EXE	88
PID 4072 wrote to memory of 2036	4072	BOOSTRAPPER.EXE	89
PID 4072 wrote to memory of 2036	4072	BOOSTRAPPER.EXE	89
PID 4692 wrote to memory of 4380	4692	BOOSTRAPPER.EXE	91
PID 4692 wrote to memory of 4380	4692	BOOSTRAPPER.EXE	91
PID 4692 wrote to memory of 4380	4692	BOOSTRAPPER.EXE	91
PID 4692 wrote to memory of 3336	4692	BOOSTRAPPER.EXE	146
PID 4692 wrote to memory of 3336	4692	BOOSTRAPPER.EXE	146

C:\Users\Admin\AppData\Local\Temp\Boostrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Boostrapper.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
  "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
    "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
      "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4380
    - - C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        5⤵
        
        PID:2172
      - C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        6⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        7⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        8⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        9⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        10⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        11⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        12⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        13⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        14⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        15⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        16⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        17⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        18⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        19⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        20⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        21⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        22⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        23⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        24⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        25⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        26⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        27⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        28⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        29⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        30⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        31⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        32⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        33⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        34⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        35⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        36⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        37⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        38⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        39⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        40⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        41⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        42⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        43⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        44⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        45⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        46⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        47⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        48⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        49⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        50⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        51⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        52⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        53⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        54⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        55⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        56⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        57⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        58⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        59⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        60⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOSTRAPPER.EXE"
        61⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        61⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        60⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        59⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        58⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        57⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        56⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        55⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        54⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        53⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        52⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        51⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        50⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        49⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        48⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        47⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        46⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        45⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        44⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        43⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        42⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        41⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        40⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        39⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        38⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        37⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        36⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        35⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        34⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        33⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        32⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        31⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        30⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        29⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        28⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        27⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        26⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        25⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        24⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        23⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        22⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        21⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        20⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        19⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        18⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        17⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        16⤵
        
        PID:2728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        15⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        14⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        13⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        12⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE" --isUpdate true
        13⤵
        
        PID:3580
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c ipconfig /all
        14⤵
        
        PID:872
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        15⤵
        Gathers network information
        
        PID:3520
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        14⤵
        
        PID:984
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        15⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        11⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        10⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE" --isUpdate true
        11⤵
        
        PID:3328
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c ipconfig /all
        12⤵
        
        PID:1748
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        13⤵
        Gathers network information
        
        PID:3052
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        12⤵
        
        PID:4044
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
        13⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        9⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        8⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        7⤵
        
        PID:4580
      - C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        6⤵
        
        PID:3424
    - - C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
        5⤵
        
        PID:4668
  - - C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
      "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
      4⤵
      Executes dropped EXE
      PID:3336
- - C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
    "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE
  "C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BOOTSTRAPPER.EXE.log

Filesize
1KB

MD5
5d0144083196da811c34700c23011f86

SHA1
ff996da2d523a1f8515260cfba7ba9ba2342b892

SHA256
4e3146eaca68b797f97f9399273f0de2b18994e2df8ecf4578bca9bbbade7b0f

SHA512
3296d3fa6154557072ad23a40e517eff3a37ec847a04acb443bbbd4f9c45b8e8e5dfb094f0ab21810a29681d94907b5e417aa6e30f71fd2b366e566b8bba33bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOOTSTRAPPER.EXE

Filesize
972KB

MD5
90fd25ced85fe6db28d21ae7d1f02e2c

SHA1
e27eff4cd4d383f5c564cce2bd1aaa2ffe4ec056

SHA256
97572bd57b08b59744e4dfe6f93fb96be4002dfe1aa78683771725401776464f

SHA512
1c775cf8dfde037eaa98eb14088c70d74923f0f6a83030a71f2f4c1a4453f6154dab7a4aa175e429860badda3e5e0ae226f3c3e8171332f5962bf36f8aa073fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.22.exe

Filesize
800KB

MD5
2a4dcf20b82896be94eb538260c5fb93

SHA1
21f232c2fd8132f8677e53258562ad98b455e679

SHA256
ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a

SHA512
4f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288

Download Submit
C:\Users\Admin\AppData\Local\Temp\DISCORD

Filesize
103B

MD5
487ab53955a5ea101720115f32237a45

SHA1
c59d22f8bc8005694505addef88f7968c8d393d3

SHA256
d64354a111fd859a08552f6738fecd8c5594475e8c03bb37546812a205d0d368

SHA512
468689d98645c9f32813d833a07bbcf96fe0de4593f4f4dc6757501fbce8e9951d21a8aa4a7050a87a904d203f521134328d426d4e6ab9f20e7e759769003b7c

Download Submit
memory/2036-12-0x000001F56C160000-0x000001F56C25A000-memory.dmp

Filesize
1000KB

Download
memory/2036-19-0x000001F56DFA0000-0x000001F56DFC2000-memory.dmp

Filesize
136KB

Download
memory/3328-43-0x00000261C3A30000-0x00000261C3AFE000-memory.dmp

Filesize
824KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads