Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/01/2025, 05:17
Behavioral task
behavioral1
Sample
BPLogger.exe
Resource
win7-20240903-en
General
-
Target
BPLogger.exe
-
Size
3.1MB
-
MD5
14b871855a9046ef9aedeec80f9c2d86
-
SHA1
32c0ad34f524748b76c090fc881b75b928341e7e
-
SHA256
b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940
-
SHA512
7ada8280b9a5a4dcb427da5f7634335c191645614148ed550dbbbacfaed72e1e99202caedddc02f48dc73d96bf0ecd4d35c2ed2d6206e9b25efba4f29dcc8e96
-
SSDEEP
49152:3v7lL26AaNeWgPhlmVqvMQ7XSKlfyCC4KgoGdulF8THHB72eh2NT:3vhL26AaNeWgPhlmVqkQ7XSKlfyg
Malware Config
Extracted
quasar
1.4.1
Office04
wefdwef-34180.portmap.host:34180
c4be1726-3f86-4f80-bc7c-0779b06ffeeb
-
encryption_key
97BF1FDCF446A7218FA05296FD8D8F0C41A6B1E7
-
install_name
Bootstrapper.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Spotify
-
subdirectory
system32
Signatures
-
Quasar family
-
Quasar payload 8 IoCs
resource yara_rule behavioral1/memory/2024-1-0x0000000000060000-0x0000000000384000-memory.dmp family_quasar behavioral1/files/0x0008000000016d2e-5.dat family_quasar behavioral1/memory/2012-8-0x0000000001320000-0x0000000001644000-memory.dmp family_quasar behavioral1/memory/2408-54-0x00000000001A0000-0x00000000004C4000-memory.dmp family_quasar behavioral1/memory/1852-66-0x0000000000FE0000-0x0000000001304000-memory.dmp family_quasar behavioral1/memory/636-109-0x00000000011C0000-0x00000000014E4000-memory.dmp family_quasar behavioral1/memory/1916-131-0x0000000001250000-0x0000000001574000-memory.dmp family_quasar behavioral1/memory/2796-164-0x0000000000310000-0x0000000000634000-memory.dmp family_quasar -
Executes dropped EXE 15 IoCs
pid Process 2012 Bootstrapper.exe 1748 Bootstrapper.exe 2620 Bootstrapper.exe 1768 Bootstrapper.exe 2408 Bootstrapper.exe 1852 Bootstrapper.exe 2944 Bootstrapper.exe 2912 Bootstrapper.exe 2984 Bootstrapper.exe 636 Bootstrapper.exe 1640 Bootstrapper.exe 1916 Bootstrapper.exe 1692 Bootstrapper.exe 2612 Bootstrapper.exe 2796 Bootstrapper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1016 PING.EXE 2052 PING.EXE 2640 PING.EXE 2820 PING.EXE 2020 PING.EXE 1516 PING.EXE 1912 PING.EXE 612 PING.EXE 672 PING.EXE 2684 PING.EXE 1028 PING.EXE 1944 PING.EXE 1560 PING.EXE 2568 PING.EXE 1924 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 1924 PING.EXE 1944 PING.EXE 2640 PING.EXE 2820 PING.EXE 672 PING.EXE 1516 PING.EXE 1912 PING.EXE 2020 PING.EXE 2568 PING.EXE 1028 PING.EXE 1560 PING.EXE 2684 PING.EXE 1016 PING.EXE 612 PING.EXE 2052 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2888 schtasks.exe 1596 schtasks.exe 2748 schtasks.exe 2632 schtasks.exe 880 schtasks.exe 2528 schtasks.exe 1032 schtasks.exe 2492 schtasks.exe 2672 schtasks.exe 2856 schtasks.exe 352 schtasks.exe 2692 schtasks.exe 1132 schtasks.exe 896 schtasks.exe 968 schtasks.exe 2256 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2024 BPLogger.exe Token: SeDebugPrivilege 2012 Bootstrapper.exe Token: SeDebugPrivilege 1748 Bootstrapper.exe Token: SeDebugPrivilege 2620 Bootstrapper.exe Token: SeDebugPrivilege 1768 Bootstrapper.exe Token: SeDebugPrivilege 2408 Bootstrapper.exe Token: SeDebugPrivilege 1852 Bootstrapper.exe Token: SeDebugPrivilege 2944 Bootstrapper.exe Token: SeDebugPrivilege 2912 Bootstrapper.exe Token: SeDebugPrivilege 2984 Bootstrapper.exe Token: SeDebugPrivilege 636 Bootstrapper.exe Token: SeDebugPrivilege 1640 Bootstrapper.exe Token: SeDebugPrivilege 1916 Bootstrapper.exe Token: SeDebugPrivilege 1692 Bootstrapper.exe Token: SeDebugPrivilege 2612 Bootstrapper.exe Token: SeDebugPrivilege 2796 Bootstrapper.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
pid Process 2012 Bootstrapper.exe 1748 Bootstrapper.exe 2620 Bootstrapper.exe 1768 Bootstrapper.exe 2408 Bootstrapper.exe 1852 Bootstrapper.exe 2944 Bootstrapper.exe 2912 Bootstrapper.exe 2984 Bootstrapper.exe 636 Bootstrapper.exe 1640 Bootstrapper.exe 1916 Bootstrapper.exe 1692 Bootstrapper.exe 2612 Bootstrapper.exe 2796 Bootstrapper.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 2012 Bootstrapper.exe 1748 Bootstrapper.exe 2620 Bootstrapper.exe 1768 Bootstrapper.exe 2408 Bootstrapper.exe 1852 Bootstrapper.exe 2944 Bootstrapper.exe 2912 Bootstrapper.exe 2984 Bootstrapper.exe 636 Bootstrapper.exe 1640 Bootstrapper.exe 1916 Bootstrapper.exe 1692 Bootstrapper.exe 2612 Bootstrapper.exe 2796 Bootstrapper.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2256 2024 BPLogger.exe 31 PID 2024 wrote to memory of 2256 2024 BPLogger.exe 31 PID 2024 wrote to memory of 2256 2024 BPLogger.exe 31 PID 2024 wrote to memory of 2012 2024 BPLogger.exe 33 PID 2024 wrote to memory of 2012 2024 BPLogger.exe 33 PID 2024 wrote to memory of 2012 2024 BPLogger.exe 33 PID 2012 wrote to memory of 2672 2012 Bootstrapper.exe 34 PID 2012 wrote to memory of 2672 2012 Bootstrapper.exe 34 PID 2012 wrote to memory of 2672 2012 Bootstrapper.exe 34 PID 2012 wrote to memory of 2540 2012 Bootstrapper.exe 36 PID 2012 wrote to memory of 2540 2012 Bootstrapper.exe 36 PID 2012 wrote to memory of 2540 2012 Bootstrapper.exe 36 PID 2540 wrote to memory of 2692 2540 cmd.exe 38 PID 2540 wrote to memory of 2692 2540 cmd.exe 38 PID 2540 wrote to memory of 2692 2540 cmd.exe 38 PID 2540 wrote to memory of 2568 2540 cmd.exe 39 PID 2540 wrote to memory of 2568 2540 cmd.exe 39 PID 2540 wrote to memory of 2568 2540 cmd.exe 39 PID 2540 wrote to memory of 1748 2540 cmd.exe 40 PID 2540 wrote to memory of 1748 2540 cmd.exe 40 PID 2540 wrote to memory of 1748 2540 cmd.exe 40 PID 1748 wrote to memory of 2528 1748 Bootstrapper.exe 41 PID 1748 wrote to memory of 2528 1748 Bootstrapper.exe 41 PID 1748 wrote to memory of 2528 1748 Bootstrapper.exe 41 PID 1748 wrote to memory of 1720 1748 Bootstrapper.exe 43 PID 1748 wrote to memory of 1720 1748 Bootstrapper.exe 43 PID 1748 wrote to memory of 1720 1748 Bootstrapper.exe 43 PID 1720 wrote to memory of 1112 1720 cmd.exe 45 PID 1720 wrote to memory of 1112 1720 cmd.exe 45 PID 1720 wrote to memory of 1112 1720 cmd.exe 45 PID 1720 wrote to memory of 1516 1720 cmd.exe 46 PID 1720 wrote to memory of 1516 1720 cmd.exe 46 PID 1720 wrote to memory of 1516 1720 cmd.exe 46 PID 1720 wrote to memory of 2620 1720 cmd.exe 47 PID 1720 wrote to memory of 2620 1720 cmd.exe 47 PID 1720 wrote to memory of 2620 1720 cmd.exe 47 PID 2620 wrote to memory of 896 2620 Bootstrapper.exe 48 PID 2620 wrote to memory of 896 2620 Bootstrapper.exe 48 PID 2620 wrote to memory of 896 2620 Bootstrapper.exe 48 PID 2620 wrote to memory of 1300 2620 Bootstrapper.exe 50 PID 2620 wrote to memory of 1300 2620 Bootstrapper.exe 50 PID 2620 wrote to memory of 1300 2620 Bootstrapper.exe 50 PID 1300 wrote to memory of 2036 1300 cmd.exe 52 PID 1300 wrote to memory of 2036 1300 cmd.exe 52 PID 1300 wrote to memory of 2036 1300 cmd.exe 52 PID 1300 wrote to memory of 1912 1300 cmd.exe 53 PID 1300 wrote to memory of 1912 1300 cmd.exe 53 PID 1300 wrote to memory of 1912 1300 cmd.exe 53 PID 1300 wrote to memory of 1768 1300 cmd.exe 54 PID 1300 wrote to memory of 1768 1300 cmd.exe 54 PID 1300 wrote to memory of 1768 1300 cmd.exe 54 PID 1768 wrote to memory of 2888 1768 Bootstrapper.exe 55 PID 1768 wrote to memory of 2888 1768 Bootstrapper.exe 55 PID 1768 wrote to memory of 2888 1768 Bootstrapper.exe 55 PID 1768 wrote to memory of 2340 1768 Bootstrapper.exe 57 PID 1768 wrote to memory of 2340 1768 Bootstrapper.exe 57 PID 1768 wrote to memory of 2340 1768 Bootstrapper.exe 57 PID 2340 wrote to memory of 288 2340 cmd.exe 59 PID 2340 wrote to memory of 288 2340 cmd.exe 59 PID 2340 wrote to memory of 288 2340 cmd.exe 59 PID 2340 wrote to memory of 1016 2340 cmd.exe 60 PID 2340 wrote to memory of 1016 2340 cmd.exe 60 PID 2340 wrote to memory of 1016 2340 cmd.exe 60 PID 2340 wrote to memory of 2408 2340 cmd.exe 61 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BPLogger.exe"C:\Users\Admin\AppData\Local\Temp\BPLogger.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:2256
-
-
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2672
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\6jVOcpKpe04o.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2692
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2568
-
-
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2528
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\S1IDfG8pK8m3.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:1112
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1516
-
-
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:896
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\VUxfJMSYNN9F.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2036
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1912
-
-
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:2888
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\cPDB5pXCT7Bx.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:288
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1016
-
-
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2408 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:968
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Ho9cnUh3n5FO.bat" "11⤵PID:1496
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:2268
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:612
-
-
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1852 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:1132
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5JbNnrO5nHI8.bat" "13⤵PID:3016
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:3012
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2052
-
-
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2944 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:1596
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\wSkhHgQ8TzBe.bat" "15⤵PID:2896
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:1808
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2640
-
-
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2912 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:2748
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\mrnfKW7W5zoO.bat" "17⤵PID:2668
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:2840
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2820
-
-
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2984 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:2632
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\YpsXWyby8YFp.bat" "19⤵PID:492
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:1232
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2020
-
-
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:636 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2856
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\8HFfsIDNhQcB.bat" "21⤵PID:2212
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:964
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:672
-
-
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1640 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:1032
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\Yu1bgsHEnpZi.bat" "23⤵PID:1744
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:1728
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1924
-
-
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"24⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1916 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:2492
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\B5YhlFaeD9Nm.bat" "25⤵PID:544
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2136
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1028
-
-
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1692 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:880
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PXg8yLPahUaq.bat" "27⤵PID:2444
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2108
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1944
-
-
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2612 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:352
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\pAJBDmaxUPW4.bat" "29⤵PID:2660
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:2728
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2684
-
-
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2796 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:2692
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\mQVQm9C8tszx.bat" "31⤵PID:2332
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:2848
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215B
MD534bf1954f75e6790b244ad90b07f5931
SHA1ea0ca0dafc71f831fe726a96f206141902f68c86
SHA25616b2286ca7073fe2dcc8d1ba346e8912600d5357e897ebfcd6fb4ca60cf66348
SHA5121e76179ba030b17b08bbe792b86d78882eba7f6268bf9daad4f652104965eac00b45de9c3834f01d2f48a0d87b27ab189cfc23c99b62d7a57b2c90d8dc23e959
-
Filesize
215B
MD592f3503264c158555505729372c84105
SHA1cb3fc374c19e4edcb1e338b59fe4ecbe39bd2dce
SHA256bad0cc604629e47dfb532d2298b5fd7af34983526d2fb0deedc82f97838d327f
SHA5125bbcb0ca763bef39e70fe9a8b680b1669c524b51b214857b933ee3cf286daa9bca83bd87fa3ba54b2ebdbbb7047026ce01446168b5c3baf3a0c8ba35453748ec
-
Filesize
215B
MD5f1263a07d4ec3bce2041aa06a734ebf5
SHA1b8bdabcdd6b07c25ca65e4cd040fa16e0da16370
SHA256e0fa08ce2de5bc1a8221b17da7c1301e320adfce661859ae31722711882bd3ed
SHA512eb0351f83100abfa48034c222ec272fc87876c50abef679655c4a8f305da718a42652643fee39a4329a6ab1124a3b1db0f0e02ac63bafe51d2ea67b90ce23bfa
-
Filesize
215B
MD58613e14d9bef5bb12da3a61fbf582dab
SHA1f032b72597d99e0645797884c114acda7bf96d5f
SHA2561202de255baa049c13099ab8a8ffb375385671fbdbb91bc61937967b834ea45d
SHA5121230dcd2ad8e3ead1d11caa3a7eaeca5bb719e806c8848d6e3894cd8922efcefb31b377396fa3736b591e67da9506e4bd0f0e1c82a1443eec94a1b004504febc
-
Filesize
215B
MD56886540a45c999b542527845e47a18bb
SHA1390719412a0642d2fac21f0a3710fcbb9d4fb29d
SHA2561f724c313e3a3f7c03cf135779531bbb73f0bc93f27c4bf6a3171a4a29e1613f
SHA512fd7d2b1e80fe4a0837fa1f697e434c6386773980499144cff2d21bbe59833883296071d19f186bd9628849aba014995e2d5f8b2449dfcd460569b3fb4fe49cb5
-
Filesize
215B
MD51443d20ea039325b7a834598663849d9
SHA1dd6190787fa2d4d367b7a750f7be13ff37876683
SHA256623f8bf71272647861162a8997d73fd89e1450e426555f6a87a1bcb4a9d7f31c
SHA512ad6034abe3ea82b1a9ac5d1015917b4756e6616de9a91717ed6cbc8963c6840f22438973b5a1d371851eea56050d9adca98eeda60c2e00bbffe6ba8b53db21c5
-
Filesize
215B
MD583ae91eba89e84d6d6f6b8c3e9b5fb7c
SHA1f17009fb7ecbb34af5dfd65a47c0f531e4b1769f
SHA25607bcc451e347187c08502041c05dba4e4978f75ab22018c76a2eec7559981c43
SHA5125b402d112f2157e1be139a71bbe1013e0a371c14809d88fe64784adaa0314c08db0dca3cad23fbcf6ab6a0db85c58c53712dee0d58a36af49e4c3837f5fd2837
-
Filesize
215B
MD5fcf1b3cc2624a146d13afd43526634c1
SHA105e9dd032aa0ad1d2d3d1ef8f2de300400c669df
SHA256d92f9c99e52726744dac585740094a0d367f706319786f55b21bac4c4a4b46a9
SHA51222dbe79ac16d97e16ac8318f7c68a298502be3f68f449c7ad59e2f6e5dde311f2bcdab837d00d0875f4ee6a85ffd8a021c3a89a17c5174740e7328c0b07aa2be
-
Filesize
215B
MD57fd3e2013d1054c84da2ae1d3e0d6245
SHA1de90d8a0e05a2779a49a0371cf584f32a4694288
SHA256d02c5ea258808b5a8842115b58955a4bb5301959cbe44b87aed3c0d610170ef8
SHA512e3dc5e8f51560da9fac67a9073ac781e791fbb48723150ff1d3e853e64d89df480e464aed7006fd11c623caf19df780a22fff2ce8344aa62294afae6a876b7a8
-
Filesize
215B
MD5a7a80212eba12d84fa372cdf4085eb55
SHA179df25585b2da4b02357be6f72a3596fb299a782
SHA256be35b6d8884c2981dd2e9fcf8aa3f4b9be01f5bc545b96ee09699035873fa4a8
SHA512c9ca04fa4c9de15cd7906bc2dace62202d12da5276d4b5906846fdd5bb62c608b8cab97d1b5cf834c4bbbc3af91c30da5a6b2316df5b85a254b389929ebdb36d
-
Filesize
215B
MD56dd02e217cdf3e7b952bd3cdbfa3fae6
SHA15668313d308246217d7a0a9fe61e109ed390a2f6
SHA256b20386807a650cca38a781099f46efc5952d6a50cf4d180079f0fb13fe97be7c
SHA512c159ee6b5b7bd65e3855f87e6b39c0bd4f89651744547bb328d15d2021bf5652a5437bcd2f9bff9d08b40fbc175ef31ce43adc3dbfe1970c8cf8e4af9766b15a
-
Filesize
215B
MD52f5bb85add11062ab8a7f9348a77f0bf
SHA168459f6afeb94e7c24e4286c866bddbb680c8cbe
SHA256ffc1a45e60d6b51d62d655fd47ff3a5d421e2319f7cad0a38eb25544250ddce4
SHA512907c6b3d0863b61af00d7ad3d0c3b4e04df3f0643d86bc31bc5734e8e4ec34702faf2247f13cb8b022604406860974c849732b0c35a9516303538bc06c47accf
-
Filesize
215B
MD53363c31e4608af3431be5ccd8d0a6e5f
SHA18a587e85457df5e36d989ef28076ee675be13d08
SHA256f1957820a489d5ca5f182976554a56af68aba8255a4ec5772ca6cc560bece754
SHA512ef7d8a4bfbfc69c13febab762e01d1406c3dbdfb324fe7416e0ade07e5f1a741b8560c832c581f2cdf623221ed168ee9cfd3704d0e4c905934021e36e214facc
-
Filesize
215B
MD5add35865d40ecf267ce535a1197b5bfa
SHA10ddfccbcbfebb566a1007d9db7a93cd4b8cc138f
SHA256ff4841d818f247e1a2b81ed70062bfbd01e6355b2bb2f9e941d6413cdec0a206
SHA512daef924f22b25129703c9e8502d70df208471e5609be3fcca4f7ab4fb92ae98b67deca36c80437a7672bc01ec0950f694e95c29d82f625915ff9f355b017767a
-
Filesize
215B
MD57498263afb3db1dc9d3b5e5fc2ee8ff2
SHA1528d4af4cb3efac22b1f08939c67327bb7eea524
SHA25695cff7746a03b752f27f3b5d65de2e0102588cef8493ca9312cf3bb0e15f77f9
SHA512ad0dae29a4da0597b6dc307a024df56efa016f727a60dedc4198a88297ba78b277ea4c0cad6124cfe506a3a3a42a0d8d24c469a528e2af98006db549d8c67c80
-
Filesize
3.1MB
MD514b871855a9046ef9aedeec80f9c2d86
SHA132c0ad34f524748b76c090fc881b75b928341e7e
SHA256b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940
SHA5127ada8280b9a5a4dcb427da5f7634335c191645614148ed550dbbbacfaed72e1e99202caedddc02f48dc73d96bf0ecd4d35c2ed2d6206e9b25efba4f29dcc8e96