quasar | b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940

Analysis

max time kernel
145s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31/01/2025, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BPLogger.exe
Size

3.1MB
MD5

14b871855a9046ef9aedeec80f9c2d86
SHA1

32c0ad34f524748b76c090fc881b75b928341e7e
SHA256

b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940
SHA512

7ada8280b9a5a4dcb427da5f7634335c191645614148ed550dbbbacfaed72e1e99202caedddc02f48dc73d96bf0ecd4d35c2ed2d6206e9b25efba4f29dcc8e96
SSDEEP

49152:3v7lL26AaNeWgPhlmVqvMQ7XSKlfyCC4KgoGdulF8THHB72eh2NT:3vhL26AaNeWgPhlmVqkQ7XSKlfyg

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

wefdwef-34180.portmap.host:34180

Mutex

c4be1726-3f86-4f80-bc7c-0779b06ffeeb

Attributes

encryption_key
97BF1FDCF446A7218FA05296FD8D8F0C41A6B1E7
install_name
Bootstrapper.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Spotify
subdirectory
system32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 8 IoCs

resource	yara_rule
behavioral1/memory/2024-1-0x0000000000060000-0x0000000000384000-memory.dmp	family_quasar
behavioral1/files/0x0008000000016d2e-5.dat	family_quasar
behavioral1/memory/2012-8-0x0000000001320000-0x0000000001644000-memory.dmp	family_quasar
behavioral1/memory/2408-54-0x00000000001A0000-0x00000000004C4000-memory.dmp	family_quasar
behavioral1/memory/1852-66-0x0000000000FE0000-0x0000000001304000-memory.dmp	family_quasar
behavioral1/memory/636-109-0x00000000011C0000-0x00000000014E4000-memory.dmp	family_quasar
behavioral1/memory/1916-131-0x0000000001250000-0x0000000001574000-memory.dmp	family_quasar
behavioral1/memory/2796-164-0x0000000000310000-0x0000000000634000-memory.dmp	family_quasar

Executes dropped EXE 15 IoCs

pid	Process
2012	Bootstrapper.exe
1748	Bootstrapper.exe
2620	Bootstrapper.exe
1768	Bootstrapper.exe
2408	Bootstrapper.exe
1852	Bootstrapper.exe
2944	Bootstrapper.exe
2912	Bootstrapper.exe
2984	Bootstrapper.exe
636	Bootstrapper.exe
1640	Bootstrapper.exe
1916	Bootstrapper.exe
1692	Bootstrapper.exe
2612	Bootstrapper.exe
2796	Bootstrapper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1016	PING.EXE
2052	PING.EXE
2640	PING.EXE
2820	PING.EXE
2020	PING.EXE
1516	PING.EXE
1912	PING.EXE
612	PING.EXE
672	PING.EXE
2684	PING.EXE
1028	PING.EXE
1944	PING.EXE
1560	PING.EXE
2568	PING.EXE
1924	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1924	PING.EXE
1944	PING.EXE
2640	PING.EXE
2820	PING.EXE
672	PING.EXE
1516	PING.EXE
1912	PING.EXE
2020	PING.EXE
2568	PING.EXE
1028	PING.EXE
1560	PING.EXE
2684	PING.EXE
1016	PING.EXE
612	PING.EXE
2052	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2888	schtasks.exe
1596	schtasks.exe
2748	schtasks.exe
2632	schtasks.exe
880	schtasks.exe
2528	schtasks.exe
1032	schtasks.exe
2492	schtasks.exe
2672	schtasks.exe
2856	schtasks.exe
352	schtasks.exe
2692	schtasks.exe
1132	schtasks.exe
896	schtasks.exe
968	schtasks.exe
2256	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	BPLogger.exe
Token: SeDebugPrivilege	2012	Bootstrapper.exe
Token: SeDebugPrivilege	1748	Bootstrapper.exe
Token: SeDebugPrivilege	2620	Bootstrapper.exe
Token: SeDebugPrivilege	1768	Bootstrapper.exe
Token: SeDebugPrivilege	2408	Bootstrapper.exe
Token: SeDebugPrivilege	1852	Bootstrapper.exe
Token: SeDebugPrivilege	2944	Bootstrapper.exe
Token: SeDebugPrivilege	2912	Bootstrapper.exe
Token: SeDebugPrivilege	2984	Bootstrapper.exe
Token: SeDebugPrivilege	636	Bootstrapper.exe
Token: SeDebugPrivilege	1640	Bootstrapper.exe
Token: SeDebugPrivilege	1916	Bootstrapper.exe
Token: SeDebugPrivilege	1692	Bootstrapper.exe
Token: SeDebugPrivilege	2612	Bootstrapper.exe
Token: SeDebugPrivilege	2796	Bootstrapper.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2012	Bootstrapper.exe
1748	Bootstrapper.exe
2620	Bootstrapper.exe
1768	Bootstrapper.exe
2408	Bootstrapper.exe
1852	Bootstrapper.exe
2944	Bootstrapper.exe
2912	Bootstrapper.exe
2984	Bootstrapper.exe
636	Bootstrapper.exe
1640	Bootstrapper.exe
1916	Bootstrapper.exe
1692	Bootstrapper.exe
2612	Bootstrapper.exe
2796	Bootstrapper.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2012	Bootstrapper.exe
1748	Bootstrapper.exe
2620	Bootstrapper.exe
1768	Bootstrapper.exe
2408	Bootstrapper.exe
1852	Bootstrapper.exe
2944	Bootstrapper.exe
2912	Bootstrapper.exe
2984	Bootstrapper.exe
636	Bootstrapper.exe
1640	Bootstrapper.exe
1916	Bootstrapper.exe
1692	Bootstrapper.exe
2612	Bootstrapper.exe
2796	Bootstrapper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2256	2024	BPLogger.exe	31
PID 2024 wrote to memory of 2256	2024	BPLogger.exe	31
PID 2024 wrote to memory of 2256	2024	BPLogger.exe	31
PID 2024 wrote to memory of 2012	2024	BPLogger.exe	33
PID 2024 wrote to memory of 2012	2024	BPLogger.exe	33
PID 2024 wrote to memory of 2012	2024	BPLogger.exe	33
PID 2012 wrote to memory of 2672	2012	Bootstrapper.exe	34
PID 2012 wrote to memory of 2672	2012	Bootstrapper.exe	34
PID 2012 wrote to memory of 2672	2012	Bootstrapper.exe	34
PID 2012 wrote to memory of 2540	2012	Bootstrapper.exe	36
PID 2012 wrote to memory of 2540	2012	Bootstrapper.exe	36
PID 2012 wrote to memory of 2540	2012	Bootstrapper.exe	36
PID 2540 wrote to memory of 2692	2540	cmd.exe	38
PID 2540 wrote to memory of 2692	2540	cmd.exe	38
PID 2540 wrote to memory of 2692	2540	cmd.exe	38
PID 2540 wrote to memory of 2568	2540	cmd.exe	39
PID 2540 wrote to memory of 2568	2540	cmd.exe	39
PID 2540 wrote to memory of 2568	2540	cmd.exe	39
PID 2540 wrote to memory of 1748	2540	cmd.exe	40
PID 2540 wrote to memory of 1748	2540	cmd.exe	40
PID 2540 wrote to memory of 1748	2540	cmd.exe	40
PID 1748 wrote to memory of 2528	1748	Bootstrapper.exe	41
PID 1748 wrote to memory of 2528	1748	Bootstrapper.exe	41
PID 1748 wrote to memory of 2528	1748	Bootstrapper.exe	41
PID 1748 wrote to memory of 1720	1748	Bootstrapper.exe	43
PID 1748 wrote to memory of 1720	1748	Bootstrapper.exe	43
PID 1748 wrote to memory of 1720	1748	Bootstrapper.exe	43
PID 1720 wrote to memory of 1112	1720	cmd.exe	45
PID 1720 wrote to memory of 1112	1720	cmd.exe	45
PID 1720 wrote to memory of 1112	1720	cmd.exe	45
PID 1720 wrote to memory of 1516	1720	cmd.exe	46
PID 1720 wrote to memory of 1516	1720	cmd.exe	46
PID 1720 wrote to memory of 1516	1720	cmd.exe	46
PID 1720 wrote to memory of 2620	1720	cmd.exe	47
PID 1720 wrote to memory of 2620	1720	cmd.exe	47
PID 1720 wrote to memory of 2620	1720	cmd.exe	47
PID 2620 wrote to memory of 896	2620	Bootstrapper.exe	48
PID 2620 wrote to memory of 896	2620	Bootstrapper.exe	48
PID 2620 wrote to memory of 896	2620	Bootstrapper.exe	48
PID 2620 wrote to memory of 1300	2620	Bootstrapper.exe	50
PID 2620 wrote to memory of 1300	2620	Bootstrapper.exe	50
PID 2620 wrote to memory of 1300	2620	Bootstrapper.exe	50
PID 1300 wrote to memory of 2036	1300	cmd.exe	52
PID 1300 wrote to memory of 2036	1300	cmd.exe	52
PID 1300 wrote to memory of 2036	1300	cmd.exe	52
PID 1300 wrote to memory of 1912	1300	cmd.exe	53
PID 1300 wrote to memory of 1912	1300	cmd.exe	53
PID 1300 wrote to memory of 1912	1300	cmd.exe	53
PID 1300 wrote to memory of 1768	1300	cmd.exe	54
PID 1300 wrote to memory of 1768	1300	cmd.exe	54
PID 1300 wrote to memory of 1768	1300	cmd.exe	54
PID 1768 wrote to memory of 2888	1768	Bootstrapper.exe	55
PID 1768 wrote to memory of 2888	1768	Bootstrapper.exe	55
PID 1768 wrote to memory of 2888	1768	Bootstrapper.exe	55
PID 1768 wrote to memory of 2340	1768	Bootstrapper.exe	57
PID 1768 wrote to memory of 2340	1768	Bootstrapper.exe	57
PID 1768 wrote to memory of 2340	1768	Bootstrapper.exe	57
PID 2340 wrote to memory of 288	2340	cmd.exe	59
PID 2340 wrote to memory of 288	2340	cmd.exe	59
PID 2340 wrote to memory of 288	2340	cmd.exe	59
PID 2340 wrote to memory of 1016	2340	cmd.exe	60
PID 2340 wrote to memory of 1016	2340	cmd.exe	60
PID 2340 wrote to memory of 1016	2340	cmd.exe	60
PID 2340 wrote to memory of 2408	2340	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BPLogger.exe
"C:\Users\Admin\AppData\Local\Temp\BPLogger.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2256
- C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
  "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2672
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\6jVOcpKpe04o.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2692
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2568
  - - C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
      "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2528
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\S1IDfG8pK8m3.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1720
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1112
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1516
      - C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:896
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\VUxfJMSYNN9F.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1912
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2888
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\cPDB5pXCT7Bx.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1016
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2408
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:968
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ho9cnUh3n5FO.bat" "
        11⤵
        
        PID:1496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2268
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:612
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1852
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1132
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5JbNnrO5nHI8.bat" "
        13⤵
        
        PID:3016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3012
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2944
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1596
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\wSkhHgQ8TzBe.bat" "
        15⤵
        
        PID:2896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1808
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2912
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2748
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mrnfKW7W5zoO.bat" "
        17⤵
        
        PID:2668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2820
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2984
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2632
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YpsXWyby8YFp.bat" "
        19⤵
        
        PID:492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1232
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:636
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2856
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\8HFfsIDNhQcB.bat" "
        21⤵
        
        PID:2212
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:672
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1640
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1032
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Yu1bgsHEnpZi.bat" "
        23⤵
        
        PID:1744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:1728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1916
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\B5YhlFaeD9Nm.bat" "
        25⤵
        
        PID:544
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2136
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1692
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:880
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PXg8yLPahUaq.bat" "
        27⤵
        
        PID:2444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2612
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:352
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\pAJBDmaxUPW4.bat" "
        29⤵
        
        PID:2660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2796
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2692
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mQVQm9C8tszx.bat" "
        31⤵
        
        PID:2332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:2848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5JbNnrO5nHI8.bat

Filesize
215B

MD5
34bf1954f75e6790b244ad90b07f5931

SHA1
ea0ca0dafc71f831fe726a96f206141902f68c86

SHA256
16b2286ca7073fe2dcc8d1ba346e8912600d5357e897ebfcd6fb4ca60cf66348

SHA512
1e76179ba030b17b08bbe792b86d78882eba7f6268bf9daad4f652104965eac00b45de9c3834f01d2f48a0d87b27ab189cfc23c99b62d7a57b2c90d8dc23e959

Download Submit
C:\Users\Admin\AppData\Local\Temp\6jVOcpKpe04o.bat

Filesize
215B

MD5
92f3503264c158555505729372c84105

SHA1
cb3fc374c19e4edcb1e338b59fe4ecbe39bd2dce

SHA256
bad0cc604629e47dfb532d2298b5fd7af34983526d2fb0deedc82f97838d327f

SHA512
5bbcb0ca763bef39e70fe9a8b680b1669c524b51b214857b933ee3cf286daa9bca83bd87fa3ba54b2ebdbbb7047026ce01446168b5c3baf3a0c8ba35453748ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\8HFfsIDNhQcB.bat

Filesize
215B

MD5
f1263a07d4ec3bce2041aa06a734ebf5

SHA1
b8bdabcdd6b07c25ca65e4cd040fa16e0da16370

SHA256
e0fa08ce2de5bc1a8221b17da7c1301e320adfce661859ae31722711882bd3ed

SHA512
eb0351f83100abfa48034c222ec272fc87876c50abef679655c4a8f305da718a42652643fee39a4329a6ab1124a3b1db0f0e02ac63bafe51d2ea67b90ce23bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\B5YhlFaeD9Nm.bat

Filesize
215B

MD5
8613e14d9bef5bb12da3a61fbf582dab

SHA1
f032b72597d99e0645797884c114acda7bf96d5f

SHA256
1202de255baa049c13099ab8a8ffb375385671fbdbb91bc61937967b834ea45d

SHA512
1230dcd2ad8e3ead1d11caa3a7eaeca5bb719e806c8848d6e3894cd8922efcefb31b377396fa3736b591e67da9506e4bd0f0e1c82a1443eec94a1b004504febc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ho9cnUh3n5FO.bat

Filesize
215B

MD5
6886540a45c999b542527845e47a18bb

SHA1
390719412a0642d2fac21f0a3710fcbb9d4fb29d

SHA256
1f724c313e3a3f7c03cf135779531bbb73f0bc93f27c4bf6a3171a4a29e1613f

SHA512
fd7d2b1e80fe4a0837fa1f697e434c6386773980499144cff2d21bbe59833883296071d19f186bd9628849aba014995e2d5f8b2449dfcd460569b3fb4fe49cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PXg8yLPahUaq.bat

Filesize
215B

MD5
1443d20ea039325b7a834598663849d9

SHA1
dd6190787fa2d4d367b7a750f7be13ff37876683

SHA256
623f8bf71272647861162a8997d73fd89e1450e426555f6a87a1bcb4a9d7f31c

SHA512
ad6034abe3ea82b1a9ac5d1015917b4756e6616de9a91717ed6cbc8963c6840f22438973b5a1d371851eea56050d9adca98eeda60c2e00bbffe6ba8b53db21c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\S1IDfG8pK8m3.bat

Filesize
215B

MD5
83ae91eba89e84d6d6f6b8c3e9b5fb7c

SHA1
f17009fb7ecbb34af5dfd65a47c0f531e4b1769f

SHA256
07bcc451e347187c08502041c05dba4e4978f75ab22018c76a2eec7559981c43

SHA512
5b402d112f2157e1be139a71bbe1013e0a371c14809d88fe64784adaa0314c08db0dca3cad23fbcf6ab6a0db85c58c53712dee0d58a36af49e4c3837f5fd2837

Download Submit
C:\Users\Admin\AppData\Local\Temp\VUxfJMSYNN9F.bat

Filesize
215B

MD5
fcf1b3cc2624a146d13afd43526634c1

SHA1
05e9dd032aa0ad1d2d3d1ef8f2de300400c669df

SHA256
d92f9c99e52726744dac585740094a0d367f706319786f55b21bac4c4a4b46a9

SHA512
22dbe79ac16d97e16ac8318f7c68a298502be3f68f449c7ad59e2f6e5dde311f2bcdab837d00d0875f4ee6a85ffd8a021c3a89a17c5174740e7328c0b07aa2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpsXWyby8YFp.bat

Filesize
215B

MD5
7fd3e2013d1054c84da2ae1d3e0d6245

SHA1
de90d8a0e05a2779a49a0371cf584f32a4694288

SHA256
d02c5ea258808b5a8842115b58955a4bb5301959cbe44b87aed3c0d610170ef8

SHA512
e3dc5e8f51560da9fac67a9073ac781e791fbb48723150ff1d3e853e64d89df480e464aed7006fd11c623caf19df780a22fff2ce8344aa62294afae6a876b7a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yu1bgsHEnpZi.bat

Filesize
215B

MD5
a7a80212eba12d84fa372cdf4085eb55

SHA1
79df25585b2da4b02357be6f72a3596fb299a782

SHA256
be35b6d8884c2981dd2e9fcf8aa3f4b9be01f5bc545b96ee09699035873fa4a8

SHA512
c9ca04fa4c9de15cd7906bc2dace62202d12da5276d4b5906846fdd5bb62c608b8cab97d1b5cf834c4bbbc3af91c30da5a6b2316df5b85a254b389929ebdb36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cPDB5pXCT7Bx.bat

Filesize
215B

MD5
6dd02e217cdf3e7b952bd3cdbfa3fae6

SHA1
5668313d308246217d7a0a9fe61e109ed390a2f6

SHA256
b20386807a650cca38a781099f46efc5952d6a50cf4d180079f0fb13fe97be7c

SHA512
c159ee6b5b7bd65e3855f87e6b39c0bd4f89651744547bb328d15d2021bf5652a5437bcd2f9bff9d08b40fbc175ef31ce43adc3dbfe1970c8cf8e4af9766b15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQVQm9C8tszx.bat

Filesize
215B

MD5
2f5bb85add11062ab8a7f9348a77f0bf

SHA1
68459f6afeb94e7c24e4286c866bddbb680c8cbe

SHA256
ffc1a45e60d6b51d62d655fd47ff3a5d421e2319f7cad0a38eb25544250ddce4

SHA512
907c6b3d0863b61af00d7ad3d0c3b4e04df3f0643d86bc31bc5734e8e4ec34702faf2247f13cb8b022604406860974c849732b0c35a9516303538bc06c47accf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrnfKW7W5zoO.bat

Filesize
215B

MD5
3363c31e4608af3431be5ccd8d0a6e5f

SHA1
8a587e85457df5e36d989ef28076ee675be13d08

SHA256
f1957820a489d5ca5f182976554a56af68aba8255a4ec5772ca6cc560bece754

SHA512
ef7d8a4bfbfc69c13febab762e01d1406c3dbdfb324fe7416e0ade07e5f1a741b8560c832c581f2cdf623221ed168ee9cfd3704d0e4c905934021e36e214facc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pAJBDmaxUPW4.bat

Filesize
215B

MD5
add35865d40ecf267ce535a1197b5bfa

SHA1
0ddfccbcbfebb566a1007d9db7a93cd4b8cc138f

SHA256
ff4841d818f247e1a2b81ed70062bfbd01e6355b2bb2f9e941d6413cdec0a206

SHA512
daef924f22b25129703c9e8502d70df208471e5609be3fcca4f7ab4fb92ae98b67deca36c80437a7672bc01ec0950f694e95c29d82f625915ff9f355b017767a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wSkhHgQ8TzBe.bat

Filesize
215B

MD5
7498263afb3db1dc9d3b5e5fc2ee8ff2

SHA1
528d4af4cb3efac22b1f08939c67327bb7eea524

SHA256
95cff7746a03b752f27f3b5d65de2e0102588cef8493ca9312cf3bb0e15f77f9

SHA512
ad0dae29a4da0597b6dc307a024df56efa016f727a60dedc4198a88297ba78b277ea4c0cad6124cfe506a3a3a42a0d8d24c469a528e2af98006db549d8c67c80

Download Submit
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe

Filesize
3.1MB

MD5
14b871855a9046ef9aedeec80f9c2d86

SHA1
32c0ad34f524748b76c090fc881b75b928341e7e

SHA256
b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940

SHA512
7ada8280b9a5a4dcb427da5f7634335c191645614148ed550dbbbacfaed72e1e99202caedddc02f48dc73d96bf0ecd4d35c2ed2d6206e9b25efba4f29dcc8e96

Download Submit
memory/636-109-0x00000000011C0000-0x00000000014E4000-memory.dmp

Filesize
3.1MB

Download
memory/1852-66-0x0000000000FE0000-0x0000000001304000-memory.dmp

Filesize
3.1MB

Download
memory/1916-131-0x0000000001250000-0x0000000001574000-memory.dmp

Filesize
3.1MB

Download
memory/2012-10-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2012-19-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2012-8-0x0000000001320000-0x0000000001644000-memory.dmp

Filesize
3.1MB

Download
memory/2012-7-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-0-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

Filesize
4KB

Download
memory/2024-9-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-2-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

Filesize
9.9MB

Download
memory/2024-1-0x0000000000060000-0x0000000000384000-memory.dmp

Filesize
3.1MB

Download
memory/2408-54-0x00000000001A0000-0x00000000004C4000-memory.dmp

Filesize
3.1MB

Download
memory/2796-164-0x0000000000310000-0x0000000000634000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads