quasar | 77153049f33480d1b665c68aa0732e531f963f9acb04b9e016baafeca3b54dd8

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BPLogger.exe
Size

3.1MB
MD5

14b871855a9046ef9aedeec80f9c2d86
SHA1

32c0ad34f524748b76c090fc881b75b928341e7e
SHA256

b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940
SHA512

7ada8280b9a5a4dcb427da5f7634335c191645614148ed550dbbbacfaed72e1e99202caedddc02f48dc73d96bf0ecd4d35c2ed2d6206e9b25efba4f29dcc8e96
SSDEEP

49152:3v7lL26AaNeWgPhlmVqvMQ7XSKlfyCC4KgoGdulF8THHB72eh2NT:3vhL26AaNeWgPhlmVqkQ7XSKlfyg

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

wefdwef-34180.portmap.host:34180

Mutex

c4be1726-3f86-4f80-bc7c-0779b06ffeeb

Attributes

encryption_key
97BF1FDCF446A7218FA05296FD8D8F0C41A6B1E7
install_name
Bootstrapper.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Spotify
subdirectory
system32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral6/memory/228-1-0x0000000000680000-0x00000000009A4000-memory.dmp	family_quasar
behavioral6/files/0x000b000000023b2c-6.dat	family_quasar

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Executes dropped EXE 15 IoCs

pid	Process
4668	Bootstrapper.exe
3292	Bootstrapper.exe
696	Bootstrapper.exe
672	Bootstrapper.exe
3856	Bootstrapper.exe
1448	Bootstrapper.exe
1276	Bootstrapper.exe
5104	Bootstrapper.exe
1200	Bootstrapper.exe
400	Bootstrapper.exe
5048	Bootstrapper.exe
2356	Bootstrapper.exe
1500	Bootstrapper.exe
1472	Bootstrapper.exe
876	Bootstrapper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4676	PING.EXE
3380	PING.EXE
640	PING.EXE
1156	PING.EXE
4036	PING.EXE
3156	PING.EXE
776	PING.EXE
1632	PING.EXE
4976	PING.EXE
3552	PING.EXE
1964	PING.EXE
1572	PING.EXE
1516	PING.EXE
4824	PING.EXE

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
776	PING.EXE
4676	PING.EXE
1572	PING.EXE
640	PING.EXE
3552	PING.EXE
1156	PING.EXE
4036	PING.EXE
1516	PING.EXE
4824	PING.EXE
4976	PING.EXE
3380	PING.EXE
1632	PING.EXE
1964	PING.EXE
3156	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4892	schtasks.exe
3496	schtasks.exe
2400	schtasks.exe
1956	schtasks.exe
3124	schtasks.exe
2352	schtasks.exe
1200	schtasks.exe
2712	schtasks.exe
3712	schtasks.exe
5052	schtasks.exe
3952	schtasks.exe
448	schtasks.exe
2916	schtasks.exe
4236	schtasks.exe
3016	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	BPLogger.exe
Token: SeDebugPrivilege	4668	Bootstrapper.exe
Token: SeDebugPrivilege	3292	Bootstrapper.exe
Token: SeDebugPrivilege	696	Bootstrapper.exe
Token: SeDebugPrivilege	672	Bootstrapper.exe
Token: SeDebugPrivilege	3856	Bootstrapper.exe
Token: SeDebugPrivilege	1448	Bootstrapper.exe
Token: SeDebugPrivilege	1276	Bootstrapper.exe
Token: SeDebugPrivilege	5104	Bootstrapper.exe
Token: SeDebugPrivilege	1200	Bootstrapper.exe
Token: SeDebugPrivilege	400	Bootstrapper.exe
Token: SeDebugPrivilege	5048	Bootstrapper.exe
Token: SeDebugPrivilege	2356	Bootstrapper.exe
Token: SeDebugPrivilege	1500	Bootstrapper.exe
Token: SeDebugPrivilege	1472	Bootstrapper.exe
Token: SeDebugPrivilege	876	Bootstrapper.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
4668	Bootstrapper.exe
3292	Bootstrapper.exe
696	Bootstrapper.exe
672	Bootstrapper.exe
3856	Bootstrapper.exe
1448	Bootstrapper.exe
1276	Bootstrapper.exe
5104	Bootstrapper.exe
1200	Bootstrapper.exe
400	Bootstrapper.exe
5048	Bootstrapper.exe
2356	Bootstrapper.exe
1500	Bootstrapper.exe
1472	Bootstrapper.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
4668	Bootstrapper.exe
3292	Bootstrapper.exe
696	Bootstrapper.exe
672	Bootstrapper.exe
3856	Bootstrapper.exe
1448	Bootstrapper.exe
1276	Bootstrapper.exe
5104	Bootstrapper.exe
1200	Bootstrapper.exe
400	Bootstrapper.exe
5048	Bootstrapper.exe
2356	Bootstrapper.exe
1500	Bootstrapper.exe
1472	Bootstrapper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 1956	228	BPLogger.exe	86
PID 228 wrote to memory of 1956	228	BPLogger.exe	86
PID 228 wrote to memory of 4668	228	BPLogger.exe	88
PID 228 wrote to memory of 4668	228	BPLogger.exe	88
PID 4668 wrote to memory of 5052	4668	Bootstrapper.exe	89
PID 4668 wrote to memory of 5052	4668	Bootstrapper.exe	89
PID 4668 wrote to memory of 916	4668	Bootstrapper.exe	91
PID 4668 wrote to memory of 916	4668	Bootstrapper.exe	91
PID 916 wrote to memory of 1212	916	cmd.exe	93
PID 916 wrote to memory of 1212	916	cmd.exe	93
PID 916 wrote to memory of 776	916	cmd.exe	94
PID 916 wrote to memory of 776	916	cmd.exe	94
PID 916 wrote to memory of 3292	916	cmd.exe	95
PID 916 wrote to memory of 3292	916	cmd.exe	95
PID 3292 wrote to memory of 3952	3292	Bootstrapper.exe	96
PID 3292 wrote to memory of 3952	3292	Bootstrapper.exe	96
PID 3292 wrote to memory of 2652	3292	Bootstrapper.exe	98
PID 3292 wrote to memory of 2652	3292	Bootstrapper.exe	98
PID 2652 wrote to memory of 2952	2652	cmd.exe	100
PID 2652 wrote to memory of 2952	2652	cmd.exe	100
PID 2652 wrote to memory of 4976	2652	cmd.exe	101
PID 2652 wrote to memory of 4976	2652	cmd.exe	101
PID 2652 wrote to memory of 696	2652	cmd.exe	102
PID 2652 wrote to memory of 696	2652	cmd.exe	102
PID 696 wrote to memory of 1200	696	Bootstrapper.exe	103
PID 696 wrote to memory of 1200	696	Bootstrapper.exe	103
PID 696 wrote to memory of 744	696	Bootstrapper.exe	105
PID 696 wrote to memory of 744	696	Bootstrapper.exe	105
PID 744 wrote to memory of 3884	744	cmd.exe	107
PID 744 wrote to memory of 3884	744	cmd.exe	107
PID 744 wrote to memory of 3380	744	cmd.exe	108
PID 744 wrote to memory of 3380	744	cmd.exe	108
PID 744 wrote to memory of 672	744	cmd.exe	111
PID 744 wrote to memory of 672	744	cmd.exe	111
PID 672 wrote to memory of 2712	672	Bootstrapper.exe	112
PID 672 wrote to memory of 2712	672	Bootstrapper.exe	112
PID 672 wrote to memory of 1708	672	Bootstrapper.exe	114
PID 672 wrote to memory of 1708	672	Bootstrapper.exe	114
PID 1708 wrote to memory of 468	1708	cmd.exe	116
PID 1708 wrote to memory of 468	1708	cmd.exe	116
PID 1708 wrote to memory of 1632	1708	cmd.exe	117
PID 1708 wrote to memory of 1632	1708	cmd.exe	117
PID 1708 wrote to memory of 3856	1708	cmd.exe	119
PID 1708 wrote to memory of 3856	1708	cmd.exe	119
PID 3856 wrote to memory of 448	3856	Bootstrapper.exe	120
PID 3856 wrote to memory of 448	3856	Bootstrapper.exe	120
PID 3856 wrote to memory of 4428	3856	Bootstrapper.exe	122
PID 3856 wrote to memory of 4428	3856	Bootstrapper.exe	122
PID 4428 wrote to memory of 2320	4428	cmd.exe	124
PID 4428 wrote to memory of 2320	4428	cmd.exe	124
PID 4428 wrote to memory of 3552	4428	cmd.exe	125
PID 4428 wrote to memory of 3552	4428	cmd.exe	125
PID 4428 wrote to memory of 1448	4428	cmd.exe	126
PID 4428 wrote to memory of 1448	4428	cmd.exe	126
PID 1448 wrote to memory of 2916	1448	Bootstrapper.exe	127
PID 1448 wrote to memory of 2916	1448	Bootstrapper.exe	127
PID 1448 wrote to memory of 516	1448	Bootstrapper.exe	129
PID 1448 wrote to memory of 516	1448	Bootstrapper.exe	129
PID 516 wrote to memory of 4664	516	cmd.exe	131
PID 516 wrote to memory of 4664	516	cmd.exe	131
PID 516 wrote to memory of 1964	516	cmd.exe	132
PID 516 wrote to memory of 1964	516	cmd.exe	132
PID 516 wrote to memory of 1276	516	cmd.exe	133
PID 516 wrote to memory of 1276	516	cmd.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BPLogger.exe
"C:\Users\Admin\AppData\Local\Temp\BPLogger.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1956
- C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
  "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wilh9hOkSh7S.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1212
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:776
  - - C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
      "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3292
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3952
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vanGtm8Ib22t.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2952
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4976
      - C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZdNvsqxXWoKY.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3380
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iB3gekOejUCh.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1632
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scA9VBpI0TEg.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2320
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3552
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OJb04VmhGu7Y.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4664
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1276
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W61aUrdvwstJ.bat" "
        15⤵
        
        PID:3952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4676
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5104
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xmIjN2YfAryj.bat" "
        17⤵
        
        PID:828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1572
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1200
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TDBm8cSseLRM.bat" "
        19⤵
        
        PID:628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:640
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:400
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VHkNP1t5M67y.bat" "
        21⤵
        
        PID:3708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3148
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5048
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cu4NoLwUnOkI.bat" "
        23⤵
        
        PID:1880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4036
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2356
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G161u5Cv48PP.bat" "
        25⤵
        
        PID:3896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1500
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h2pkPIu2R9zL.bat" "
        27⤵
        
        PID:2928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4824
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1472
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\erboNKj3etiN.bat" "
        29⤵
        
        PID:4236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3156
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bootstrapper.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\G161u5Cv48PP.bat

Filesize
215B

MD5
0a9c01fa3d422b89ee2dcec86c2d599a

SHA1
f661479102c3a78b98e2148f03a36f518adc2c23

SHA256
c4436e6a5cf4a80fb0bb9ce94830242f7bdeea6336723a90cf54797b899fdf49

SHA512
c9a58f8306ddb47e60e9045d7b9a56ad66898f6513da46e2fe755cacd58e3c51ce8aa39517eb1baf46f1a5185e5d7d12b15a1572ff3731d6f0c56579598538ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\OJb04VmhGu7Y.bat

Filesize
215B

MD5
ecdc64889ac35d29ee4c44d4c55229e1

SHA1
07cf94cacb16ebacc561c504cf14ff77d0c35dfb

SHA256
a234b58e4867d50575bdbf9cdd9b51b27e2fc7dfa23321c7e4e0e6dcdde97a1b

SHA512
fe67e34f0e2eb3ae9918021c91ce415b2612031719c5dacaa95fbd7ab5a96a1beddd6cf6deb5d6cbd70d49e29b4d67ebf192cf54fc74f5a99b9e5ac077a8a454

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDBm8cSseLRM.bat

Filesize
215B

MD5
101a390aa677ec82fda4f3b7d6275a51

SHA1
95f2f3b017ecb69e58e281d75020cd1b9021e3c7

SHA256
d5a1c38c7fe3acd6444e6682c1ee56a8221ecec72bb06261604c10b8d47b13bd

SHA512
d822394cb075c4d0ac3b57c87b45abfbfc6a934052a31f8755f11cc25e6696f515ea9bd7dbc74741db9e757ee9f25ab15c191b210f07000bca0adc2ec6416385

Download Submit
C:\Users\Admin\AppData\Local\Temp\VHkNP1t5M67y.bat

Filesize
215B

MD5
7f23931312533dfc52d3f3c77d5d66d6

SHA1
c5552c46a2bcdb08c85926c62c2fbd5788af975b

SHA256
b1117394f2e5b556c81ceaa6ec8ccaa9de9fe0d3d8cabde6d6201748433893a9

SHA512
e83019586e26e92fb67e97c0b0f56099f9fd083b0e31a1983bd91dfb4fd0c3f0225be13c725a8bd15cfa64ad511be3c7eab00e8cbdb216ed2e119764cafb7a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\W61aUrdvwstJ.bat

Filesize
215B

MD5
42ff0136da3c4d03658d045f2cc1931c

SHA1
0bd451d938b2561528c89f9eeed2f16a6a5af1bc

SHA256
085b586a9ec46675a9f115a3c332ffd0b03b1086c7d6f042ff6cc138435f4197

SHA512
5b175c099757dc63eb71c906d065165a9e7fd1e606a6adf62ffe1590a63c743a5764195964d72e0b1fda4b3e402e4824fec629b31e6542d95b7fa6a60f13d1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZdNvsqxXWoKY.bat

Filesize
215B

MD5
2778e77bd24c2a67f27fb06726771ab3

SHA1
0b4808109b0618ad41efd137bf92feee6075b023

SHA256
6825c3387c262a0448798c8f43530617bd587c570e9f0a1dd6dc8041dd846891

SHA512
cbeb04072d7446ad0400e9e13ac83e1dbbe8c0ed6fa86e2e42b609f4a22ba9917fd9f98531f57100afc7c3031c0d3fd8954d985bbd3760f67e29049425318aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cu4NoLwUnOkI.bat

Filesize
215B

MD5
800f701f17940e79c3314ecbc08dad2e

SHA1
b3cba30f5686e94b4243655d6d23a64e9f46881e

SHA256
c6907668ef70694cc46f07a64696a440ebed01921d491a3c7bd297a01f4ab3bb

SHA512
6810d24d86522a431dcd5033ecbf9bfb0d63faa5248a20d8b57cca21e822b7f0b133881bdf1f41754c134a68236c1143fd7be67118d2dd2b4fd900876009142d

Download Submit
C:\Users\Admin\AppData\Local\Temp\erboNKj3etiN.bat

Filesize
215B

MD5
ebadb2e2b764803cc4a11e90fda3b565

SHA1
b5e1cca28dff35a43c9827be05223db51c5503af

SHA256
9008b25bb5b7a5f507d60372dabc5e44f9d788ffa894f4ec7aa5031418e99a27

SHA512
fa56a4f85c26ee234f104e1df5bd5d4377e5769d6b8a105067e8b065839e073d0da90605df3fe75032006b64d4a795edfe68c3f11689ca10a4c13ab940ebcf19

Download Submit
C:\Users\Admin\AppData\Local\Temp\h2pkPIu2R9zL.bat

Filesize
215B

MD5
6d228e762ed4b322239e05403b63e9b8

SHA1
54fe212f3e494abb95bed3ac728b0f7bcad14020

SHA256
48c148805add93966e251da93cb7e1f5ae9545ba36abd18083d5951966d5c24e

SHA512
b561b2d4f1a6fb10cfc3fb5a4912ad74a67615af87bfbe65fa9dabe9cc1319b93b64a6967720c3d4eafe72e50932ccef81de63c6b3a9c5e3ec64ba3331e9dc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\iB3gekOejUCh.bat

Filesize
215B

MD5
bc7555a6c9c4f0a76e830447816b8d74

SHA1
b838583a4843e2d37622556d4474ae2ecb6056e2

SHA256
c9bec7693a0d3846b4dc7310160c4ddaf0cbf51c24a03316b38a251459b3759b

SHA512
c2a6a30691ac334887f48eaf8f46aa9c53bbb257a1775fa38116025111572e8b632eb3388be5950b1ce42a65131a67fea66c9973d1211d969a8b5a77c9b4f2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\scA9VBpI0TEg.bat

Filesize
215B

MD5
55ce5e96f94306e5246f38afcd52ffe5

SHA1
89a8b7972d66ade04acfc09b7983041e2f0ac857

SHA256
b1ea18c8776ee6b23553607bdbea9b269ba2e282f99c84ea56b9b960d52b5c9a

SHA512
92b320fc4f4327d291315e22132306b63681a2ea7b3fd5634f74e24cc1c075325f6811b127b76ecba2b67e0e9a99391037ed64a82e02c79a60c26178987ac28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vanGtm8Ib22t.bat

Filesize
215B

MD5
faea0c9ea4b0ce7ce74fbc9868466482

SHA1
43abdae5c1b9de25d8c600472c4577df2d8ba69a

SHA256
2d9789875adf4546a47861732345f9daba5ac57898fdcf0b8573d1043e8ad82b

SHA512
bc05cef0d6ff9eeba0f193d49ffe053baa2d06ca28fd0ae9e89535b77ba37d27b8b10eedd6be30d1d29c073e023d26b80bba052198ba5f5c7c9522783d583294

Download Submit
C:\Users\Admin\AppData\Local\Temp\wilh9hOkSh7S.bat

Filesize
215B

MD5
1af3403ae1f21d18d6459fc1aa8c2708

SHA1
870618b13a59e07fe5811f6fd647c523fa51d0be

SHA256
d16ceb61cd4b1c730708b3729552657efe1851e118d0cbfb1b6402ee349827ee

SHA512
7fe385d15b81b93fc9b51bfee3aa576c9dd6c2ff7eca621cbe898cce4c8ce8a88dfc7f04a16752f32896239682c527458db6aed3fdbd47abaa7742822343764a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmIjN2YfAryj.bat

Filesize
215B

MD5
715d996a3974f141967918d1777c9ac9

SHA1
bce68530e5e316d96da2b70d830bdc6382dc4078

SHA256
564248f5290472fc026dd9c4cda957fdbc3577c26ee34f41eb6e864601d8f9ff

SHA512
54233128df8b3e6e561d5ad3241072cc31c248a2305e5c5adf7ec51ff1869cc7cf8321ebe6f9f12396b93dc12c4c458e8aca30c8addde801db8b00bcdb49f7f8

Download Submit
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe

Filesize
3.1MB

MD5
14b871855a9046ef9aedeec80f9c2d86

SHA1
32c0ad34f524748b76c090fc881b75b928341e7e

SHA256
b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940

SHA512
7ada8280b9a5a4dcb427da5f7634335c191645614148ed550dbbbacfaed72e1e99202caedddc02f48dc73d96bf0ecd4d35c2ed2d6206e9b25efba4f29dcc8e96

Download Submit
memory/228-0-0x00007FFFC7DC3000-0x00007FFFC7DC5000-memory.dmp

Filesize
8KB

Download
memory/228-9-0x00007FFFC7DC0000-0x00007FFFC8881000-memory.dmp

Filesize
10.8MB

Download
memory/228-2-0x00007FFFC7DC0000-0x00007FFFC8881000-memory.dmp

Filesize
10.8MB

Download
memory/228-1-0x0000000000680000-0x00000000009A4000-memory.dmp

Filesize
3.1MB

Download
memory/4668-18-0x00007FFFC7DC0000-0x00007FFFC8881000-memory.dmp

Filesize
10.8MB

Download
memory/4668-12-0x000000001DB40000-0x000000001DBF2000-memory.dmp

Filesize
712KB

Download
memory/4668-11-0x000000001DA30000-0x000000001DA80000-memory.dmp

Filesize
320KB

Download
memory/4668-10-0x00007FFFC7DC0000-0x00007FFFC8881000-memory.dmp

Filesize
10.8MB

Download
memory/4668-8-0x00007FFFC7DC0000-0x00007FFFC8881000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads