5f48c49a076ce47c99701ffc6923f70f2e2992d4d8f250ee033f268feb1347be

Analysis

max time kernel
8s
max time network
9s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BoostrapperX64.exe
Size

1.1MB
MD5

7ceaf5f580f8c1de0abd2155e23fabd3
SHA1

23b87f5c240953a9f1cd3091db9dd15c3035526a
SHA256

5f48c49a076ce47c99701ffc6923f70f2e2992d4d8f250ee033f268feb1347be
SHA512

6ac89ab1be1e929783bf3561c6048185bf551599939c4e42e7a785a68b7aa3a4053313edb878a78d4af8e2efee0c2a33251f27a818e2edf369e8fdf3e1e6c6fa
SSDEEP

24576:HTaE1KGZIg8ji3ZvXwz1TkZ6eVRLw5dpVq2CBWIKPR6:zasKGCPMfg14/G5dDk8IKJ6

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	BoostrapperX64.exe

Executes dropped EXE 1 IoCs

pid	Process
5108	Blades.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2564	tasklist.exe
4636	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ReferralsBedroom	BoostrapperX64.exe
File opened for modification	C:\Windows\ServicesOpposed	BoostrapperX64.exe
File opened for modification	C:\Windows\ConnectSentences	BoostrapperX64.exe
File opened for modification	C:\Windows\ChemistryRealized	BoostrapperX64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blades.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BoostrapperX64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5108	Blades.com
5108	Blades.com
5108	Blades.com
5108	Blades.com
5108	Blades.com
5108	Blades.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4636	tasklist.exe
Token: SeDebugPrivilege	2564	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5108	Blades.com
5108	Blades.com
5108	Blades.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5108	Blades.com
5108	Blades.com
5108	Blades.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 3932	2528	BoostrapperX64.exe	83
PID 2528 wrote to memory of 3932	2528	BoostrapperX64.exe	83
PID 2528 wrote to memory of 3932	2528	BoostrapperX64.exe	83
PID 3932 wrote to memory of 4636	3932	cmd.exe	85
PID 3932 wrote to memory of 4636	3932	cmd.exe	85
PID 3932 wrote to memory of 4636	3932	cmd.exe	85
PID 3932 wrote to memory of 2848	3932	cmd.exe	86
PID 3932 wrote to memory of 2848	3932	cmd.exe	86
PID 3932 wrote to memory of 2848	3932	cmd.exe	86
PID 3932 wrote to memory of 2564	3932	cmd.exe	89
PID 3932 wrote to memory of 2564	3932	cmd.exe	89
PID 3932 wrote to memory of 2564	3932	cmd.exe	89
PID 3932 wrote to memory of 3368	3932	cmd.exe	90
PID 3932 wrote to memory of 3368	3932	cmd.exe	90
PID 3932 wrote to memory of 3368	3932	cmd.exe	90
PID 3932 wrote to memory of 2624	3932	cmd.exe	91
PID 3932 wrote to memory of 2624	3932	cmd.exe	91
PID 3932 wrote to memory of 2624	3932	cmd.exe	91
PID 3932 wrote to memory of 3616	3932	cmd.exe	92
PID 3932 wrote to memory of 3616	3932	cmd.exe	92
PID 3932 wrote to memory of 3616	3932	cmd.exe	92
PID 3932 wrote to memory of 364	3932	cmd.exe	93
PID 3932 wrote to memory of 364	3932	cmd.exe	93
PID 3932 wrote to memory of 364	3932	cmd.exe	93
PID 3932 wrote to memory of 4888	3932	cmd.exe	94
PID 3932 wrote to memory of 4888	3932	cmd.exe	94
PID 3932 wrote to memory of 4888	3932	cmd.exe	94
PID 3932 wrote to memory of 3648	3932	cmd.exe	95
PID 3932 wrote to memory of 3648	3932	cmd.exe	95
PID 3932 wrote to memory of 3648	3932	cmd.exe	95
PID 3932 wrote to memory of 5108	3932	cmd.exe	96
PID 3932 wrote to memory of 5108	3932	cmd.exe	96
PID 3932 wrote to memory of 5108	3932	cmd.exe	96
PID 3932 wrote to memory of 4364	3932	cmd.exe	97
PID 3932 wrote to memory of 4364	3932	cmd.exe	97
PID 3932 wrote to memory of 4364	3932	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\BoostrapperX64.exe
"C:\Users\Admin\AppData\Local\Temp\BoostrapperX64.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Collection Collection.cmd & Collection.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4636
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2848
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3368
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 577677
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2624
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Playstation
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3616
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "SAVANNAH" Insights
    3⤵
    - System Location Discovery: System Language Discovery
    PID:364
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 577677\Blades.com + Diseases + Bag + Shades + Faculty + Polyphonic + Career + Investigate + Reminder + Votes + Fiscal 577677\Blades.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Thorough + ..\Patients + ..\Vessels + ..\Neighbor + ..\Tion + ..\Exam i
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3648
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\577677\Blades.com
    Blades.com i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5108
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\577677\Blades.com

Filesize
537B

MD5
879a8b485dcf860315b274c729d86e87

SHA1
e1a410d311d49e25c77e10fa4c02e540ac109054

SHA256
038c24e8f949b0e3d800f7a69ec00bd072da12f87c47ee881fad97fb6a449053

SHA512
a10ed7106fed5e30505b0185b4e140f77fadf205f5fb593fc5cbd40ff1385abe4cf668465808e2cf13bbfd8dc2b37800a3c4ad5c721936a80e75d2655dd26795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\577677\Blades.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\577677\i

Filesize
469KB

MD5
3a6874302851a697ceb8f42f308f0412

SHA1
86acd728e680f19a0b075586e15fcfe27d71112f

SHA256
f331e0de1e8d0427fc0104fc6454ece131876cb5c8a4b607e0d1f6d7f4e15151

SHA512
17f89b48008df35a74cf5ee022cdb931b0f718eab879daf4fb682c4a426fc1f448cbdb993cc2b3b7e96640f1d15c1289062de57fd211bf7b23d1424924f65d46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bag

Filesize
104KB

MD5
5177efec105e33ae0aa304a5362d9631

SHA1
50f431f5bb750d1d27352dfa8b7ea3cd0749afe0

SHA256
6b16c166c6d1f472f61103e8a3b1eb369298234afbd0f22e90699d0be961975f

SHA512
d61dcdc03639969bf2f3d25e45030a82ad49c85d5809923d2fed82e26155cf1bcd9b82109aebef1b368e9971091dc13c8321aaed6162c9b88ddf769ab1aad268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Career

Filesize
119KB

MD5
f8cef50a46ba8a279d60f3238bff2788

SHA1
806b7988da1b0f33741358440b32ea4ae365a98a

SHA256
1931be17185ee066488a44a371005468a1edb433b1f09a855090f22e8e70776e

SHA512
50d7efcf7a76b16a841d57509f321ef28f74c46709057b38ff30b5615f38f8553dc95a980028efb313711f367e8d793abffab063763dae061e9bcb2c240fdc86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Collection

Filesize
30KB

MD5
6479b7f536c9335d07ad988a176e8959

SHA1
c85f68ca91303a8f3319061afd95e13523fe9e56

SHA256
1fb1758a1710f68ea3cf0db68b74c501d0f10b17b04c2fef397e2f9b1008268d

SHA512
42519358e6922559c77f68469092df2c14b96464b9ea96c546952c54675a0766adcd1d4c775abe463c8be8d8f22d171f26836534ffdda4ca179250c502091268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Diseases

Filesize
78KB

MD5
9c0971ecb2919428ad914ad26dcb1d4b

SHA1
d66d19b6647525271209a83e1c7686adfa33809c

SHA256
ec69a34af00e6ed8daf59ade4fa96196719a57ef144e7eb5ab44be63c9a69d58

SHA512
e5b0ae6588aa30ebca1ef005848e4be0caaeb19f3bd68e0b6d83241f92371a5bd609e86fb38101f270e1e7b5af566fd2744f0de85c684404b73a51ddbe29885f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Exam

Filesize
74KB

MD5
f82bd4bd732255b4d778963667167cb3

SHA1
bb3582827ae09077d484761bb6bb9dd6990c7e71

SHA256
998178a73bdc33dc8160806b630c6f7059f0a6ccda3bf28e7e342da19e65e9c3

SHA512
0d3e7798c864c006178600c870980f6715c639fc1bde0311fd7eee6870ac395efc928b809872894fe1889d8b472ce478cbcfc671549f0752d0623eab3be26fdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Faculty

Filesize
142KB

MD5
99eb5fa12753d8bf7d3cf9f4c7373436

SHA1
155b6f947d639bddcb0af998c3086b1ac6b63557

SHA256
aa81dd58a1c6536a4ab0f4c5c2db2b7afde6918713a127c6aac1a507b9a8ddf4

SHA512
4bafee28536dad7602e9dbfca01434416f2fd31ce6a403fa57344d452f64bec5807c3bb5f9624f3f0728e18f60b3f3590a75c95a7b9ed0f7a41b1e342bedd90e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fiscal

Filesize
43KB

MD5
0d15e3bfbe78f9be763a994d8177d6d6

SHA1
dfb9a31356c85942f7a611d820560f8b84b7ec0f

SHA256
a3768a1c4953ed6567e0431e6bbb6dc039bec6d3ddadc1cb09628529f782f7b6

SHA512
e8cedd1046dbaa6e8e76fb8247eb384d92fcdfad5393ee7c00de8eb2107a8f9075efce2a6182a0b733956c3f45bf1814e988dc74747fdbf28bdd4816ea2afb9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Insights

Filesize
545B

MD5
413a60fb2d82b4ce8109c6e508f5dd1e

SHA1
dd7d9e395a7935c2bf8f681c7b3e40ac9547f18a

SHA256
a9acbe04968d3aa344d806bc131edeed835c35690cf8d5b4ab8bf1e7fa766e5d

SHA512
206fb83674ed6f6669027899d462b015323f14016aea8b23dc4daca30466f725ddd8befe4693268f31ab82ff7b8857c6258795276c55d4c3968670602fc4ca1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Investigate

Filesize
129KB

MD5
ec880d0a7ee22c8e46fbf85af44cfd6d

SHA1
e9c430b472eee9f617dd27a97db30f0e52a49eec

SHA256
ff2ef38c7353e403c7162fede86be41f3289f791282094a28da086e4d999ac53

SHA512
64bbd2f2e144b4de5429a52bae41f5382900917becf55b52d53849db43db5f734afa8b31fac35d1a77b1beb12dbad0c9f469840b86c23955cbc84b9161b46c6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Neighbor

Filesize
60KB

MD5
e3b998a372b3f7c0d730675e37663918

SHA1
bdd29587543c0396816498f9fcb4542adb1eb72f

SHA256
2e86dcc4abd0cf610dfef2555761e6ad6d668920e8aa2bd64f4c86250b87ccda

SHA512
ffd5623925798f2a113acf6dcb65828045cc8d24fd94c947ddb2b0f99d55f2aef7b426e62c93546d348b7035321d94dcfe0ae9709a6c27795cb3d6981504e904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Patients

Filesize
85KB

MD5
afbb3caff3929f5caf0ea6c09e58f789

SHA1
b418a3ccdf582570ac15dde36835da5857df0e65

SHA256
c53f4cda3e5ac7bcb0ee3f1a8f4d261191bfb90cb64092b9886e4a0fafaf3dc5

SHA512
36aa8651dc5597502e9c08dd12e7d4ea34bd503f42bd8fbac2ac1c12a5c3b8e3ef951c4c116e702804f146cf28a51a3ca3350a175ac2357e1dcb98f9b71fac3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Playstation

Filesize
476KB

MD5
ff3ba342fa0b1c89e3f52df1b73b6dd2

SHA1
c67105b4d000847f3040cdfc100ee38da302bd0e

SHA256
fbd33215a5ae079782335f882bc47b272356129b35e34fa4a813747bc565d315

SHA512
2fab550f1687e5cccd4c8a96577d9c15f22c43e18fe631bf08f0762c89599819955746670f57bb4bcf0483f86f2bc98331ce4b85c562f4ead3777bab477785ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Polyphonic

Filesize
117KB

MD5
e19afc34a1ee9eaa2a37846069d4e569

SHA1
19846791f60bf300e81cf986cb9146952091e39d

SHA256
b8f64f63ff9419d0a068a3ed51d3067d6515c83d833e96668dc32822053e5a9e

SHA512
cf0ecbb3bdfb58bd609370109ff980d56c54ad1cbffb857e24195d8e2f965700d4918ea5a3c16bf8b008c0ff0432c2af8ee9b266e956f45a537a90a0c85b118e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Reminder

Filesize
65KB

MD5
ac99470ae40e8a86a6bcdcdacd19b0ed

SHA1
7317c1d6547af3db940fe32019bfd09c737f6b60

SHA256
9159ac6ca1a1516b72cc8b17282cc2e7e2a7aab39414850677e35d5d9e931e83

SHA512
95af638e2c95c62c61f245fa7c793b3b0c2f638922d960118c30de7f9efb7bb0048fb73139220a2fe893c60c1714a0646d74143aafc10784ddeb52dccb7da266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Shades

Filesize
70KB

MD5
0c8a494f48923022745a3e96b8abd8e5

SHA1
84413ff6630fa8b5c553839516ba5feefd9e4eb8

SHA256
e4eb357cb6aad6fbb744d341054d8e3fc603fe522db32fc7e4f6b1100f587800

SHA512
f7603808c827c0786cf9a09d42480fb43e5944c141bb9398dbf7b9d921e7d273d23dba760a266abff40ea0f31ffa366e75f6bd4a64e59cde4e8bc33e5925d7a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Thorough

Filesize
58KB

MD5
e52dfb935e9690a3b1d4c3dfce0a3a59

SHA1
353ae454882185b8ef34a2ecc1c5b4cefa41c524

SHA256
e2672d9b463db1ee759e0d81de01081995c36c094e1a7ee83a27a3d5da4a2a67

SHA512
a993cdfaba9fc27ad79f8e8af30269b4ba187fa10db318d830f3c842564d5f4cef398942bb66fac63e22c1744712cb218724a1f1edce4d56e74da621b23b363a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tion

Filesize
93KB

MD5
a00287d4623526d77a4364213ffd78a6

SHA1
a93a94e5b7b459df2a8e340ec2c9f3ddc8696e03

SHA256
dae21476b99543fc0e0b670a722c122bcebaf83510204dc18516d39e5782ed8e

SHA512
9e33d8899f54c7729667964ab50a4db9d1ec15a429bbed252a2e3449b8d9c827b73fcfa6071bc6aeeaa5dd704016cd087e5ec9f089d8b40168539aa9d17cc86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Vessels

Filesize
99KB

MD5
a0c46b378af316f01644f7516a67ae8f

SHA1
3078ca4c91900ccf35ee5be9171ba7de7b2e201a

SHA256
a9696081082702e3827a78d57b3712dcaa4a4e06b2daad79b0c052c0c7efac87

SHA512
682151c57968da2db273fb5a6c0d4d3c2647ad31762c83e332f3825fe6848870971af1481dccd9047d30fffd2969ba8b49b57ceaa809b5ce7dcc3b8ad011ebff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Votes

Filesize
57KB

MD5
d3c6665c189e64c126920f2ec1f0f4fd

SHA1
c3d6c9550d028d30cddf5671f915c1eb55208ef7

SHA256
ee8ac35d35b2b5a3d686d818c8a6f1b9e5fee713f553c62f426bd08144efc3d1

SHA512
207ff32ecc61def8e277d3a215e09fbea73ee13a3e103a530d32a45ac954b3e421a13f82fa721ffe0bb665357de2111b9400cefffc45328da0ed2c3bdb243436

Download Submit