Resubmissions
22-02-2025 04:36
250222-e77z2axpfy 1022-02-2025 04:30
250222-e5b5ksymaj 1022-02-2025 03:57
250222-eh157axrem 1022-02-2025 03:49
250222-edlvpsxqgl 10Analysis
-
max time kernel
251s -
max time network
246s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
-
submitted
22-02-2025 04:30
General
-
Target
BootstrapperNew.exe
-
Size
534KB
-
MD5
64fdd7496eddeb222bea9a42fe6ed53d
-
SHA1
998dcd9b27a2120cc46f0e47d65d29af12944d27
-
SHA256
c0f57bfe8d8a19483cf6e2cbc7dd6bd0cbe15c60aec3ba13bf1da4ba76470c1b
-
SHA512
9e7c4401fb3e0cca134087a87b78ba9466182d9678eb6be356edbe52b5337e91dfdf3342b6671092e8215583d425cc696f608cd05d706673be499b928268fe27
-
SSDEEP
6144:Aa0ScUn4SkuC/Ee0lPYdue6VlWT8b9acd3YduIsan//fnss1OJb50D08I:AxfZ/9axPVle8kssX08I
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 15 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
-
Suspicious behavior: LoadsDriver 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Publisher" /tr "C:\Users\Admin\AppData\Roaming\System" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Publisher" /tr "C:\Users\Admin\AppData\Roaming\System"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Camtasia" /tr "C:\Users\Admin\AppData\Roaming\Windows" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Camtasia" /tr "C:\Users\Admin\AppData\Roaming\Windows" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit2⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST & exit3⤵
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "BootstrapperNew" /tr "C:\Users\Admin\AppData\Roaming\System" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Shutdown /l /f3⤵
-
C:\Windows\system32\shutdown.exeShutdown /l /f4⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa399e855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5512fc3c393f1d1c113289b495eb4f046
SHA146c2dd550181ea3a6277f9ef350dbdab9c3cc8a8
SHA2560137623e9ee9ef3e4a4027e060d57e864de9f94c913bf95db6a70424798ab7d8
SHA512da8cfc62db861e3b17162cb9d072c4dd8b690d6c284c4bda06043858531adfc5c3448c84e955576b1ddf9fd93858589d90afa335d8d77568dad17dca93d3bd74
-
Filesize
588KB
MD5908fa2dfb385771ecf5f8b2b3e7bff16
SHA11255fa1edbd2dbbcab6d9eb9f74b7d6783697a58
SHA25660ff5131dba68a8ffe7ba0475bf3e192b432e1969e5ac52d7f217f6935f4035d
SHA512573c9fde441fb8debaa44b6fa2d3763c3dc4714497089b82bedc8ef0720eea4a907f75cffb1c0ec4a77ac89cfecbef8e6182a2a8fea5b51a2e91920ceaad5f69
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
72KB
-
Filesize
1.4MB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
552KB
