quasar | b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BPLogger.exe
Size

3.1MB
MD5

14b871855a9046ef9aedeec80f9c2d86
SHA1

32c0ad34f524748b76c090fc881b75b928341e7e
SHA256

b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940
SHA512

7ada8280b9a5a4dcb427da5f7634335c191645614148ed550dbbbacfaed72e1e99202caedddc02f48dc73d96bf0ecd4d35c2ed2d6206e9b25efba4f29dcc8e96
SSDEEP

49152:3v7lL26AaNeWgPhlmVqvMQ7XSKlfyCC4KgoGdulF8THHB72eh2NT:3vhL26AaNeWgPhlmVqkQ7XSKlfyg

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

wefdwef-34180.portmap.host:34180

Mutex

c4be1726-3f86-4f80-bc7c-0779b06ffeeb

Attributes

encryption_key
97BF1FDCF446A7218FA05296FD8D8F0C41A6B1E7
install_name
Bootstrapper.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Spotify
subdirectory
system32

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/2288-1-0x0000000000D30000-0x0000000001054000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023c78-5.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Executes dropped EXE 15 IoCs

pid	Process
3888	Bootstrapper.exe
4080	Bootstrapper.exe
3476	Bootstrapper.exe
2608	Bootstrapper.exe
3976	Bootstrapper.exe
2652	Bootstrapper.exe
2952	Bootstrapper.exe
4224	Bootstrapper.exe
1428	Bootstrapper.exe
1880	Bootstrapper.exe
3624	Bootstrapper.exe
4032	Bootstrapper.exe
1152	Bootstrapper.exe
4428	Bootstrapper.exe
3532	Bootstrapper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3288	PING.EXE
5056	PING.EXE
816	PING.EXE
1808	PING.EXE
5100	PING.EXE
3868	PING.EXE
4612	PING.EXE
924	PING.EXE
4564	PING.EXE
5004	PING.EXE
4236	PING.EXE
2404	PING.EXE
4952	PING.EXE
3884	PING.EXE
1520	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
2404	PING.EXE
5056	PING.EXE
4952	PING.EXE
816	PING.EXE
1520	PING.EXE
4564	PING.EXE
5100	PING.EXE
1808	PING.EXE
3884	PING.EXE
4612	PING.EXE
3288	PING.EXE
924	PING.EXE
5004	PING.EXE
3868	PING.EXE
4236	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1588	schtasks.exe
3436	schtasks.exe
2840	schtasks.exe
3092	schtasks.exe
2180	schtasks.exe
2460	schtasks.exe
2328	schtasks.exe
3160	schtasks.exe
4188	schtasks.exe
4068	schtasks.exe
3972	schtasks.exe
224	schtasks.exe
1464	schtasks.exe
1908	schtasks.exe
1588	schtasks.exe
4672	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	BPLogger.exe
Token: SeDebugPrivilege	3888	Bootstrapper.exe
Token: SeDebugPrivilege	4080	Bootstrapper.exe
Token: SeDebugPrivilege	3476	Bootstrapper.exe
Token: SeDebugPrivilege	2608	Bootstrapper.exe
Token: SeDebugPrivilege	3976	Bootstrapper.exe
Token: SeDebugPrivilege	2652	Bootstrapper.exe
Token: SeDebugPrivilege	2952	Bootstrapper.exe
Token: SeDebugPrivilege	4224	Bootstrapper.exe
Token: SeDebugPrivilege	1428	Bootstrapper.exe
Token: SeDebugPrivilege	1880	Bootstrapper.exe
Token: SeDebugPrivilege	3624	Bootstrapper.exe
Token: SeDebugPrivilege	4032	Bootstrapper.exe
Token: SeDebugPrivilege	1152	Bootstrapper.exe
Token: SeDebugPrivilege	4428	Bootstrapper.exe
Token: SeDebugPrivilege	3532	Bootstrapper.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
3888	Bootstrapper.exe
4080	Bootstrapper.exe
3476	Bootstrapper.exe
2608	Bootstrapper.exe
3976	Bootstrapper.exe
2652	Bootstrapper.exe
2952	Bootstrapper.exe
4224	Bootstrapper.exe
1428	Bootstrapper.exe
1880	Bootstrapper.exe
3624	Bootstrapper.exe
4032	Bootstrapper.exe
1152	Bootstrapper.exe
4428	Bootstrapper.exe
3532	Bootstrapper.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
3888	Bootstrapper.exe
4080	Bootstrapper.exe
3476	Bootstrapper.exe
2608	Bootstrapper.exe
3976	Bootstrapper.exe
2652	Bootstrapper.exe
2952	Bootstrapper.exe
4224	Bootstrapper.exe
1428	Bootstrapper.exe
1880	Bootstrapper.exe
3624	Bootstrapper.exe
4032	Bootstrapper.exe
1152	Bootstrapper.exe
4428	Bootstrapper.exe
3532	Bootstrapper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3532	Bootstrapper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 3972	2288	BPLogger.exe	86
PID 2288 wrote to memory of 3972	2288	BPLogger.exe	86
PID 2288 wrote to memory of 3888	2288	BPLogger.exe	88
PID 2288 wrote to memory of 3888	2288	BPLogger.exe	88
PID 3888 wrote to memory of 224	3888	Bootstrapper.exe	89
PID 3888 wrote to memory of 224	3888	Bootstrapper.exe	89
PID 3888 wrote to memory of 2360	3888	Bootstrapper.exe	91
PID 3888 wrote to memory of 2360	3888	Bootstrapper.exe	91
PID 2360 wrote to memory of 2472	2360	cmd.exe	93
PID 2360 wrote to memory of 2472	2360	cmd.exe	93
PID 2360 wrote to memory of 4952	2360	cmd.exe	94
PID 2360 wrote to memory of 4952	2360	cmd.exe	94
PID 2360 wrote to memory of 4080	2360	cmd.exe	96
PID 2360 wrote to memory of 4080	2360	cmd.exe	96
PID 4080 wrote to memory of 1464	4080	Bootstrapper.exe	97
PID 4080 wrote to memory of 1464	4080	Bootstrapper.exe	97
PID 4080 wrote to memory of 4508	4080	Bootstrapper.exe	100
PID 4080 wrote to memory of 4508	4080	Bootstrapper.exe	100
PID 4508 wrote to memory of 3816	4508	cmd.exe	102
PID 4508 wrote to memory of 3816	4508	cmd.exe	102
PID 4508 wrote to memory of 816	4508	cmd.exe	103
PID 4508 wrote to memory of 816	4508	cmd.exe	103
PID 4508 wrote to memory of 3476	4508	cmd.exe	104
PID 4508 wrote to memory of 3476	4508	cmd.exe	104
PID 3476 wrote to memory of 1588	3476	Bootstrapper.exe	105
PID 3476 wrote to memory of 1588	3476	Bootstrapper.exe	105
PID 3476 wrote to memory of 1172	3476	Bootstrapper.exe	108
PID 3476 wrote to memory of 1172	3476	Bootstrapper.exe	108
PID 1172 wrote to memory of 1904	1172	cmd.exe	110
PID 1172 wrote to memory of 1904	1172	cmd.exe	110
PID 1172 wrote to memory of 1808	1172	cmd.exe	111
PID 1172 wrote to memory of 1808	1172	cmd.exe	111
PID 1172 wrote to memory of 2608	1172	cmd.exe	117
PID 1172 wrote to memory of 2608	1172	cmd.exe	117
PID 2608 wrote to memory of 2460	2608	Bootstrapper.exe	118
PID 2608 wrote to memory of 2460	2608	Bootstrapper.exe	118
PID 2608 wrote to memory of 3596	2608	Bootstrapper.exe	121
PID 2608 wrote to memory of 3596	2608	Bootstrapper.exe	121
PID 3596 wrote to memory of 3204	3596	cmd.exe	123
PID 3596 wrote to memory of 3204	3596	cmd.exe	123
PID 3596 wrote to memory of 3884	3596	cmd.exe	124
PID 3596 wrote to memory of 3884	3596	cmd.exe	124
PID 3596 wrote to memory of 3976	3596	cmd.exe	125
PID 3596 wrote to memory of 3976	3596	cmd.exe	125
PID 3976 wrote to memory of 3092	3976	Bootstrapper.exe	126
PID 3976 wrote to memory of 3092	3976	Bootstrapper.exe	126
PID 3976 wrote to memory of 4840	3976	Bootstrapper.exe	129
PID 3976 wrote to memory of 4840	3976	Bootstrapper.exe	129
PID 4840 wrote to memory of 2000	4840	cmd.exe	131
PID 4840 wrote to memory of 2000	4840	cmd.exe	131
PID 4840 wrote to memory of 1520	4840	cmd.exe	132
PID 4840 wrote to memory of 1520	4840	cmd.exe	132
PID 4840 wrote to memory of 2652	4840	cmd.exe	133
PID 4840 wrote to memory of 2652	4840	cmd.exe	133
PID 2652 wrote to memory of 1908	2652	Bootstrapper.exe	134
PID 2652 wrote to memory of 1908	2652	Bootstrapper.exe	134
PID 2652 wrote to memory of 3228	2652	Bootstrapper.exe	137
PID 2652 wrote to memory of 3228	2652	Bootstrapper.exe	137
PID 3228 wrote to memory of 3088	3228	cmd.exe	139
PID 3228 wrote to memory of 3088	3228	cmd.exe	139
PID 3228 wrote to memory of 4564	3228	cmd.exe	140
PID 3228 wrote to memory of 4564	3228	cmd.exe	140
PID 3228 wrote to memory of 2952	3228	cmd.exe	143
PID 3228 wrote to memory of 2952	3228	cmd.exe	143

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BPLogger.exe
"C:\Users\Admin\AppData\Local\Temp\BPLogger.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3972
- C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
  "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QnAG0AOIDkhi.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2472
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4952
  - - C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
      "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1464
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tjr3lzJAbcck.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4508
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3816
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:816
      - C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmPghaD0qhLS.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zkFsJ9R9Dab1.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3884
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGGFRmKqKmK1.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pXjkkJxTcoNp.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3088
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4564
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2952
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\91JGTK0jj0r5.bat" "
        15⤵
        
        PID:4084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5100
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4224
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\x0sUwnjhf6Av.bat" "
        17⤵
        
        PID:3724
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5004
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1428
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tyV493HgjOp8.bat" "
        19⤵
        
        PID:3204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2072
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3868
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMmUNDwFo115.bat" "
        21⤵
        
        PID:4924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4612
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3624
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeheISZEUvDb.bat" "
        23⤵
        
        PID:2452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3288
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4032
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mybyBjpltRPN.bat" "
        25⤵
        
        PID:4388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:924
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1152
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U3zUZSuVI0tb.bat" "
        27⤵
        
        PID:2748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4236
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4428
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xJJf1jbtqvWl.bat" "
        29⤵
        
        PID:2312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe
        
        "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:3532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Spotify" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JLyy250RadQq.bat" "
        31⤵
        
        PID:4156
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bootstrapper.exe.log

Filesize
2KB

MD5
8f0271a63446aef01cf2bfc7b7c7976b

SHA1
b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

SHA256
da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

SHA512
78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\91JGTK0jj0r5.bat

Filesize
215B

MD5
784eebcf02b8aef99c1f286c57a94e4e

SHA1
c4dc3c22f83d39af88ad5f4639d5ea2a084ac5e9

SHA256
ddba0eeab0752c6dd0b4f798d50bd9bea859cfd085291b18e47cf2b661714db4

SHA512
d7f43d51f1bd3cde711e72beb8aef2fc558b2a121b0600773d42fc2693d44f9e8414da0864fd9752c1453130a251534e3f8c1e751011f295f44171ed88811551

Download Submit
C:\Users\Admin\AppData\Local\Temp\JLyy250RadQq.bat

Filesize
215B

MD5
ab4a8e3734280fb62f4a6ce477b3e602

SHA1
e69a557d6d06a5def348673a9a3d6eaccf920d74

SHA256
b2c4d598f86c522caa7e7c97e57ca00040e6dd29791837df9cc094dbf062bd94

SHA512
1e2153196aef18b8be31586e131d33fbef151c3b401b930dcea07b6931b5539db2dd717c2514a4fd33f41dc1a5eaa2669ec8301fd92074e145211ae8c1ee0f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMmUNDwFo115.bat

Filesize
215B

MD5
6864de4d5fc462918289ac4defef0fa4

SHA1
9196ce2f4e96817b7aea1bf6a226ad8e632ec357

SHA256
5da106f935c9feb562029d565aa150e8c9faa99a2e14fa7c221ea4be58a52599

SHA512
7cd4dd421b8555e2c366ab089fd6ed361de510bb04b187f6888c933a924aa6ca039a9e64d0d8e5489ecb81523834cc38ad999120880ea2e08603db27ad72e17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OGGFRmKqKmK1.bat

Filesize
215B

MD5
1da4452147821b749d603f878ae4f84f

SHA1
8ed86500d3ec2a923d08cc49dbe46a2df300cc44

SHA256
83458ecdeceb60a951e2b8fac99bd0cffd1e5274a8ecf240e9d13dc4e5a679e6

SHA512
6004cb25b45f72e660ed54df627be3676816dbe0ff7b58dd16fc2470ae9aea89561af8ef0c1c3485dd6e9c2648b5d29e9548a981f7cde5b08a9cc740566f3b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\QnAG0AOIDkhi.bat

Filesize
215B

MD5
12977405299b524c90be9b00e6f1b3d7

SHA1
cf84becd9dfd2d79010bc672be5535cbefece7cc

SHA256
70df4c0496a94e2f160b64ff99237043b753200c5317b10d2bb8d775c281b805

SHA512
34c50368a1e632efc0385236e44e60046a339ff0b412593bd80eba6facced6b9a983909cedc1ae7cea7278e0ec1a94c315e6ce098dae13351ef6f7c8c082f6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tjr3lzJAbcck.bat

Filesize
215B

MD5
5b641f1e94fac8dac63e5e026aa691d4

SHA1
5949a6b5f5eeb3c6df2c1a198dbfc3a4d412fa33

SHA256
a71201cdba9980f27b2f32d8ceaa9e62ab5dea3b8c3a7d63c0b068fca3daa455

SHA512
fd4bf6492e2e27738db1b8d31aa0e29c48b17304da87f14f228a9bdebf7a6130117c6df363333cd464275ac3873262ce6797a51a0f4ffdb4850afbb7f47b699c

Download Submit
C:\Users\Admin\AppData\Local\Temp\U3zUZSuVI0tb.bat

Filesize
215B

MD5
22dd72ed1a104a76a6a9c1db471e5e29

SHA1
a5913eb64e2fdcc44de93137cf9f7eb433a1725e

SHA256
cea2960614c138b3fdb1ffb92fb72d2999d5acdc4f3122c2942367c71d4524ad

SHA512
89234cccd9c3b09966e7e861257308f22b2068dccf9f0373f131a738eadd0f87394d0ee77e3ce178bfdfa50b2c6eac8fc70926be8eeea6edce200454f083e417

Download Submit
C:\Users\Admin\AppData\Local\Temp\VeheISZEUvDb.bat

Filesize
215B

MD5
4086b3c9fe3e186e93c9e6e47f5870de

SHA1
caaea20e7fed429a0eb16d96f24051bae3ea9cf1

SHA256
4415ea0c9d3ac38e4fedc5956c62cba54aa8f96969ccc25462975a923a600971

SHA512
8c7a4a4b4e6d46f70e919025bc61157b56ab90d48a88bfd9d2b78f89d5469e431051353d038718503f8221ea13bb7b5176bc3e1b3284b0b19016f5b28b081351

Download Submit
C:\Users\Admin\AppData\Local\Temp\mybyBjpltRPN.bat

Filesize
215B

MD5
d94a3140b104a49216ac53bd8c661ec7

SHA1
9a3178dcac1792fbfc9b35ba600a1bdcc93c4167

SHA256
5cab8ffd0f56f64cfef89ca0d39989702b992075cc571c521f3dc0a1ffcc78b3

SHA512
91511208892f8bd010a5b35af8ae26b4ff089a62b110e422274440e1040a0e48584540e8a2af9ce8d6d136d5823703a3e4e6017f8745a070c22a9ec0b7a0e87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pXjkkJxTcoNp.bat

Filesize
215B

MD5
bc3521ea21ab08459fc7a44871c0669b

SHA1
f1b5aa94c13250f8e0d97737f506e54ab2c3dd36

SHA256
9351ee2052888b440fd37a5088104bb6610bb65da2717138fc14537c076fd977

SHA512
60057d69abac9c5de1cf1ed35f2b4b2a4d5227f0069d2921675acffcd4c1f3f2727c0746822d21673acfa1d5d5257caa208c8a2e028c94392cae48ed4cf19978

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmPghaD0qhLS.bat

Filesize
215B

MD5
56733b92ce59d956e411d40197589e68

SHA1
b6ca1352fa97e729876f74d68399f3e63aa3d2de

SHA256
44f4622e75c7c0da7397c7c3b76ae85b114e5f1c2fd669aee1c9b897fb094fd6

SHA512
f20ab88e616aeca97b5709bd861ae18c5df14f0a05f9b27ea91ae7795f62f8f4a4c4b544029bde915bec1ac47c20389fe68a76ffc7f81c5c09e106f6f96e217b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tyV493HgjOp8.bat

Filesize
215B

MD5
1189da9f8917b607c9a0573640956253

SHA1
b8a80deeecd3a970a3b8686853f980d94b3dd380

SHA256
e5367ea539330b126e649ad2b1c7e169071c49145bc55b1a015f1e43308248af

SHA512
b7da995c25fe2965199f5bab2865705ced0cfbb6a54a93494f5bfb32361d247dbc74b18ed542a7c66761638b110b90e87c780735ec135c619e87f470472561e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\x0sUwnjhf6Av.bat

Filesize
215B

MD5
191a025c06906748781ef0718b613dae

SHA1
b4243608d588cdccdee98c992a2703f1e086ab7b

SHA256
153d39b9bb592c3c511b221cf064156a718948c192cfeed7e51b94fa7887a603

SHA512
ea2199efd389515c1e90b8c0a86d6bb46645c0694ea45f5db7472be0097d8758bf3e01054aa5980111e5a904089e3f67412eb6ebe524e9ae6ba05bd8006a20a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xJJf1jbtqvWl.bat

Filesize
215B

MD5
8bf42de070c39e279664226ff11ac6e5

SHA1
831c5b3d4bf73f287243b800b5f35fd403d95442

SHA256
5e4e20ea5dd6af55ab4b71c7d7a98c72af6534793df7bae91ae66eb6a0d0fa40

SHA512
e2f6dfae270725d40f3ed1a97258b69485629afc670baade592d946b4cd1a0f23b2fb3f20139e5de060e10270cfcca14b0d7c5fb0fc4162a597d1c1615c72d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkFsJ9R9Dab1.bat

Filesize
215B

MD5
838db765d5a23e70f565402a0319e574

SHA1
a153fc5506afd66019abea06e86da8fb6fac41d9

SHA256
bbf9d5fa6648dbd747d0e883bef5bb5b5574cf724c44dd53c2ba0ba88e68d2d0

SHA512
0fa639d8152e1d1dedcf9219ddbab7592b19359d15fe4dbf2fe3d4a60a24fb43fff34b95101394d52e16e3ec01aee97b11a8b06ee8df04c7cae4380fce3a9859

Download Submit
C:\Users\Admin\AppData\Roaming\system32\Bootstrapper.exe

Filesize
3.1MB

MD5
14b871855a9046ef9aedeec80f9c2d86

SHA1
32c0ad34f524748b76c090fc881b75b928341e7e

SHA256
b14b916cd2f188ea09035489056e0bff9f8cb8e4a30eff50172f86319fabc940

SHA512
7ada8280b9a5a4dcb427da5f7634335c191645614148ed550dbbbacfaed72e1e99202caedddc02f48dc73d96bf0ecd4d35c2ed2d6206e9b25efba4f29dcc8e96

Download Submit
memory/2288-0-0x00007FFA4CD83000-0x00007FFA4CD85000-memory.dmp

Filesize
8KB

Download
memory/2288-8-0x00007FFA4CD80000-0x00007FFA4D841000-memory.dmp

Filesize
10.8MB

Download
memory/2288-2-0x00007FFA4CD80000-0x00007FFA4D841000-memory.dmp

Filesize
10.8MB

Download
memory/2288-1-0x0000000000D30000-0x0000000001054000-memory.dmp

Filesize
3.1MB

Download
memory/3888-17-0x00007FFA4CD80000-0x00007FFA4D841000-memory.dmp

Filesize
10.8MB

Download
memory/3888-12-0x000000001C000000-0x000000001C0B2000-memory.dmp

Filesize
712KB

Download
memory/3888-11-0x000000001BEF0000-0x000000001BF40000-memory.dmp

Filesize
320KB

Download
memory/3888-10-0x00007FFA4CD80000-0x00007FFA4D841000-memory.dmp

Filesize
10.8MB

Download
memory/3888-9-0x00007FFA4CD80000-0x00007FFA4D841000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads