quasar | 3e77ae72af3f9a18de88cb41b6686253d5b20e2ed215a26217b96520415db1d5

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
23/03/2025, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bloom Reducer.exe
Size

502KB
MD5

df5da5f129d8b2b9ebcadd00f88da030
SHA1

afe7fbc6c2462fcdab5edfb40db828297832b5ea
SHA256

3e77ae72af3f9a18de88cb41b6686253d5b20e2ed215a26217b96520415db1d5
SHA512

6832b2c35b367190ba4a4eb8ac54476c63836321c8d77089c86c6b2016dba6badd4d6555ec450433a572b7b3b8388f2b4b793e720f859ddf8e6db2b5b8d21fac
SSDEEP

6144:wTEgdc0YhebGbXOsA6j1RdhHudPSBlh/nKRFwQHocEP0b8F96y24GkficTR3u:wTEgdfY5A6PukGFwffUy24ficdu

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

chaarlie-44115.portmap.host:44115

Mutex

ba91e72b-9fea-40fe-830d-df56f58d0810

Attributes

encryption_key
6B1195D9FAF0B46710DC1B441D5B78F5F750CCC8
install_name
bloom reducer.exe
log_directory
Logs
reconnect_delay
1000
startup_key
system32
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3392-1-0x0000000000340000-0x00000000003C4000-memory.dmp	family_quasar
behavioral2/files/0x00070000000242b3-5.dat	family_quasar

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	bloom reducer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	bloom reducer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	bloom reducer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	bloom reducer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	bloom reducer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	bloom reducer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	bloom reducer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	bloom reducer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	bloom reducer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	bloom reducer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	bloom reducer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	bloom reducer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	bloom reducer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	bloom reducer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	bloom reducer.exe

Executes dropped EXE 15 IoCs

pid	Process
2292	bloom reducer.exe
3588	bloom reducer.exe
5800	bloom reducer.exe
3532	bloom reducer.exe
2656	bloom reducer.exe
5072	bloom reducer.exe
4904	bloom reducer.exe
4688	bloom reducer.exe
5516	bloom reducer.exe
4604	bloom reducer.exe
4880	bloom reducer.exe
2220	bloom reducer.exe
6060	bloom reducer.exe
60	bloom reducer.exe
2700	bloom reducer.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir\bloom reducer.exe	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir\bloom reducer.exe	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir\bloom reducer.exe	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir\bloom reducer.exe	Bloom Reducer.exe
File opened for modification	C:\Windows\system32\SubDir	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir\bloom reducer.exe	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir\bloom reducer.exe	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir\bloom reducer.exe	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir	Bloom Reducer.exe
File opened for modification	C:\Windows\system32\SubDir\bloom reducer.exe	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir\bloom reducer.exe	bloom reducer.exe
File created	C:\Windows\system32\SubDir\bloom reducer.exe	Bloom Reducer.exe
File opened for modification	C:\Windows\system32\SubDir\bloom reducer.exe	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir\bloom reducer.exe	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir\bloom reducer.exe	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir\bloom reducer.exe	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir\bloom reducer.exe	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir\bloom reducer.exe	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir\bloom reducer.exe	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir	bloom reducer.exe
File opened for modification	C:\Windows\system32\SubDir	bloom reducer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4608	PING.EXE
1508	PING.EXE
4360	PING.EXE
5856	PING.EXE
1164	PING.EXE
3604	PING.EXE
1852	PING.EXE
2312	PING.EXE
2612	PING.EXE
2400	PING.EXE
2488	PING.EXE
3976	PING.EXE
1848	PING.EXE
2120	PING.EXE
5064	PING.EXE

Runs ping.exe 1 TTPs 15 IoCs

Remote System Discovery

T1018

pid	Process
1164	PING.EXE
2400	PING.EXE
4360	PING.EXE
5064	PING.EXE
1848	PING.EXE
1508	PING.EXE
2120	PING.EXE
2612	PING.EXE
3976	PING.EXE
1852	PING.EXE
5856	PING.EXE
4608	PING.EXE
2488	PING.EXE
3604	PING.EXE
2312	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3344	schtasks.exe
4244	schtasks.exe
3460	schtasks.exe
2660	schtasks.exe
4052	schtasks.exe
4564	schtasks.exe
1204	schtasks.exe
2204	schtasks.exe
1296	schtasks.exe
2968	schtasks.exe
4660	schtasks.exe
6068	schtasks.exe
1812	schtasks.exe
2072	schtasks.exe
4680	schtasks.exe
1524	schtasks.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3392	Bloom Reducer.exe
Token: SeDebugPrivilege	2292	bloom reducer.exe
Token: SeDebugPrivilege	3588	bloom reducer.exe
Token: SeDebugPrivilege	5800	bloom reducer.exe
Token: SeDebugPrivilege	3532	bloom reducer.exe
Token: SeDebugPrivilege	2656	bloom reducer.exe
Token: SeDebugPrivilege	5072	bloom reducer.exe
Token: SeDebugPrivilege	4904	bloom reducer.exe
Token: SeDebugPrivilege	4688	bloom reducer.exe
Token: SeDebugPrivilege	5516	bloom reducer.exe
Token: SeDebugPrivilege	4604	bloom reducer.exe
Token: SeDebugPrivilege	4880	bloom reducer.exe
Token: SeDebugPrivilege	2220	bloom reducer.exe
Token: SeDebugPrivilege	6060	bloom reducer.exe
Token: SeDebugPrivilege	60	bloom reducer.exe
Token: SeDebugPrivilege	2700	bloom reducer.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2292	bloom reducer.exe
3588	bloom reducer.exe
5800	bloom reducer.exe
3532	bloom reducer.exe
2656	bloom reducer.exe
5072	bloom reducer.exe
4904	bloom reducer.exe
4688	bloom reducer.exe
5516	bloom reducer.exe
4604	bloom reducer.exe
4880	bloom reducer.exe
2220	bloom reducer.exe
6060	bloom reducer.exe
60	bloom reducer.exe
2700	bloom reducer.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
2292	bloom reducer.exe
3588	bloom reducer.exe
5800	bloom reducer.exe
3532	bloom reducer.exe
2656	bloom reducer.exe
5072	bloom reducer.exe
4904	bloom reducer.exe
4688	bloom reducer.exe
5516	bloom reducer.exe
4604	bloom reducer.exe
4880	bloom reducer.exe
2220	bloom reducer.exe
6060	bloom reducer.exe
60	bloom reducer.exe
2700	bloom reducer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 4244	3392	Bloom Reducer.exe	86
PID 3392 wrote to memory of 4244	3392	Bloom Reducer.exe	86
PID 3392 wrote to memory of 2292	3392	Bloom Reducer.exe	88
PID 3392 wrote to memory of 2292	3392	Bloom Reducer.exe	88
PID 2292 wrote to memory of 1204	2292	bloom reducer.exe	92
PID 2292 wrote to memory of 1204	2292	bloom reducer.exe	92
PID 2292 wrote to memory of 4652	2292	bloom reducer.exe	94
PID 2292 wrote to memory of 4652	2292	bloom reducer.exe	94
PID 4652 wrote to memory of 4600	4652	cmd.exe	98
PID 4652 wrote to memory of 4600	4652	cmd.exe	98
PID 4652 wrote to memory of 4608	4652	cmd.exe	99
PID 4652 wrote to memory of 4608	4652	cmd.exe	99
PID 4652 wrote to memory of 3588	4652	cmd.exe	104
PID 4652 wrote to memory of 3588	4652	cmd.exe	104
PID 3588 wrote to memory of 2204	3588	bloom reducer.exe	105
PID 3588 wrote to memory of 2204	3588	bloom reducer.exe	105
PID 3588 wrote to memory of 2188	3588	bloom reducer.exe	107
PID 3588 wrote to memory of 2188	3588	bloom reducer.exe	107
PID 2188 wrote to memory of 1164	2188	cmd.exe	110
PID 2188 wrote to memory of 1164	2188	cmd.exe	110
PID 2188 wrote to memory of 2312	2188	cmd.exe	111
PID 2188 wrote to memory of 2312	2188	cmd.exe	111
PID 2188 wrote to memory of 5800	2188	cmd.exe	112
PID 2188 wrote to memory of 5800	2188	cmd.exe	112
PID 5800 wrote to memory of 3460	5800	bloom reducer.exe	113
PID 5800 wrote to memory of 3460	5800	bloom reducer.exe	113
PID 5800 wrote to memory of 5236	5800	bloom reducer.exe	115
PID 5800 wrote to memory of 5236	5800	bloom reducer.exe	115
PID 5236 wrote to memory of 5556	5236	cmd.exe	117
PID 5236 wrote to memory of 5556	5236	cmd.exe	117
PID 5236 wrote to memory of 1508	5236	cmd.exe	118
PID 5236 wrote to memory of 1508	5236	cmd.exe	118
PID 5236 wrote to memory of 3532	5236	cmd.exe	121
PID 5236 wrote to memory of 3532	5236	cmd.exe	121
PID 3532 wrote to memory of 2660	3532	bloom reducer.exe	122
PID 3532 wrote to memory of 2660	3532	bloom reducer.exe	122
PID 3532 wrote to memory of 3360	3532	bloom reducer.exe	124
PID 3532 wrote to memory of 3360	3532	bloom reducer.exe	124
PID 3360 wrote to memory of 3596	3360	cmd.exe	126
PID 3360 wrote to memory of 3596	3360	cmd.exe	126
PID 3360 wrote to memory of 2120	3360	cmd.exe	127
PID 3360 wrote to memory of 2120	3360	cmd.exe	127
PID 3360 wrote to memory of 2656	3360	cmd.exe	135
PID 3360 wrote to memory of 2656	3360	cmd.exe	135
PID 2656 wrote to memory of 4052	2656	bloom reducer.exe	136
PID 2656 wrote to memory of 4052	2656	bloom reducer.exe	136
PID 2656 wrote to memory of 5040	2656	bloom reducer.exe	138
PID 2656 wrote to memory of 5040	2656	bloom reducer.exe	138
PID 5040 wrote to memory of 3344	5040	cmd.exe	140
PID 5040 wrote to memory of 3344	5040	cmd.exe	140
PID 5040 wrote to memory of 2612	5040	cmd.exe	141
PID 5040 wrote to memory of 2612	5040	cmd.exe	141
PID 5040 wrote to memory of 5072	5040	cmd.exe	142
PID 5040 wrote to memory of 5072	5040	cmd.exe	142
PID 5072 wrote to memory of 4564	5072	bloom reducer.exe	143
PID 5072 wrote to memory of 4564	5072	bloom reducer.exe	143
PID 5072 wrote to memory of 6136	5072	bloom reducer.exe	145
PID 5072 wrote to memory of 6136	5072	bloom reducer.exe	145
PID 6136 wrote to memory of 4552	6136	cmd.exe	147
PID 6136 wrote to memory of 4552	6136	cmd.exe	147
PID 6136 wrote to memory of 2400	6136	cmd.exe	148
PID 6136 wrote to memory of 2400	6136	cmd.exe	148
PID 6136 wrote to memory of 4904	6136	cmd.exe	149
PID 6136 wrote to memory of 4904	6136	cmd.exe	149

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bloom Reducer.exe
"C:\Users\Admin\AppData\Local\Temp\Bloom Reducer.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Bloom Reducer.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4244
- C:\Windows\system32\SubDir\bloom reducer.exe
  "C:\Windows\system32\SubDir\bloom reducer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\bloom reducer.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YD1TzSNyfjPD.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:4600
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4608
  - - C:\Windows\system32\SubDir\bloom reducer.exe
      "C:\Windows\system32\SubDir\bloom reducer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3588
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\bloom reducer.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LFhv6oNkHYxk.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1164
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2312
      - C:\Windows\system32\SubDir\bloom reducer.exe
        
        "C:\Windows\system32\SubDir\bloom reducer.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:5800
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\bloom reducer.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6s9yZO6oGqDN.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1508
        
        C:\Windows\system32\SubDir\bloom reducer.exe
        
        "C:\Windows\system32\SubDir\bloom reducer.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\bloom reducer.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pWrcV2FiRLLm.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2120
        
        C:\Windows\system32\SubDir\bloom reducer.exe
        
        "C:\Windows\system32\SubDir\bloom reducer.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\bloom reducer.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jbjgbABz8YzS.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2612
        
        C:\Windows\system32\SubDir\bloom reducer.exe
        
        "C:\Windows\system32\SubDir\bloom reducer.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\bloom reducer.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W14jWCnKdrVd.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:6136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4552
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2400
        
        C:\Windows\system32\SubDir\bloom reducer.exe
        
        "C:\Windows\system32\SubDir\bloom reducer.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4904
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\bloom reducer.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m6AwqtjekpM9.bat" "
        15⤵
        
        PID:2624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1164
        
        C:\Windows\system32\SubDir\bloom reducer.exe
        
        "C:\Windows\system32\SubDir\bloom reducer.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4688
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\bloom reducer.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tjBsYHWPeXxI.bat" "
        17⤵
        
        PID:1916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3900
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2488
        
        C:\Windows\system32\SubDir\bloom reducer.exe
        
        "C:\Windows\system32\SubDir\bloom reducer.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\bloom reducer.exe" /rl HIGHEST /f
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WpQpsEEVMFpP.bat" "
        19⤵
        
        PID:5540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:5352
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4360
        
        C:\Windows\system32\SubDir\bloom reducer.exe
        
        "C:\Windows\system32\SubDir\bloom reducer.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4604
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\bloom reducer.exe" /rl HIGHEST /f
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rG9TPPcZtdpU.bat" "
        21⤵
        
        PID:216
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3720
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3604
        
        C:\Windows\system32\SubDir\bloom reducer.exe
        
        "C:\Windows\system32\SubDir\bloom reducer.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\bloom reducer.exe" /rl HIGHEST /f
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l7BkwrkFE5ty.bat" "
        23⤵
        
        PID:3980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:5360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3976
        
        C:\Windows\system32\SubDir\bloom reducer.exe
        
        "C:\Windows\system32\SubDir\bloom reducer.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2220
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\bloom reducer.exe" /rl HIGHEST /f
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Eoqlj79qclY9.bat" "
        25⤵
        
        PID:3332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2120
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1852
        
        C:\Windows\system32\SubDir\bloom reducer.exe
        
        "C:\Windows\system32\SubDir\bloom reducer.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:6060
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\bloom reducer.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J5aLb7eg0Jg3.bat" "
        27⤵
        
        PID:1336
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4584
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5064
        
        C:\Windows\system32\SubDir\bloom reducer.exe
        
        "C:\Windows\system32\SubDir\bloom reducer.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:60
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\bloom reducer.exe" /rl HIGHEST /f
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGv53sLdePPR.bat" "
        29⤵
        
        PID:4856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:3372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5856
        
        C:\Windows\system32\SubDir\bloom reducer.exe
        
        "C:\Windows\system32\SubDir\bloom reducer.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2700
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "system32" /sc ONLOGON /tr "C:\Windows\system32\SubDir\bloom reducer.exe" /rl HIGHEST /f
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\I7f59ugx5Lhq.bat" "
        31⤵
        
        PID:1904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bloom reducer.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\6s9yZO6oGqDN.bat

Filesize
203B

MD5
4dd8f20ed82db2880e14b0bea2254a53

SHA1
602723d9e84be747ca3ac468c6c2eaae1b8fc3fa

SHA256
89b63e1b0265813576f3d5c556a4b1b8996c3d2aec40159aaa3f0089b3584db5

SHA512
b502c81652802e8d35c7a27ff8fa846306a45ead32eb6d40a61920ea490709d6308eef8d7babe2e9f1a65dc95f0d1678e13d9552f39dc443ddecdb8fca4be9e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Eoqlj79qclY9.bat

Filesize
203B

MD5
76c124cf840603c75eb3fe09625f92f8

SHA1
6536fb645661a6d426abb1fb6c0f598a61b84b32

SHA256
9c0543479f5dfa6e4679defe7a79bdb75a3b0a07940e9efdbedd219bed59453e

SHA512
dc5744ca7f4fd11c3b076daee4eee7f349af5bb06506c40b572a829a48336e18532c04a77d3e35f383f96578e40106191b760d1937c37d9365d1640f47fa4d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\I7f59ugx5Lhq.bat

Filesize
203B

MD5
a4fa16abd55f22a13c14fc5a641ea4ca

SHA1
83932489ca2f8cb01fd47914ac8b1aa72574892a

SHA256
fb696c8e2cdb5a81586f31ae81d6a49f327a1500c32a6f1629df2fe6c23b39f9

SHA512
102e007e7a304d8e6ede8deab0e9f2b7ee83fff97b0b27eff4003b7b293668ffc0a0d14aeae0cab936cc3862d6fae454cd4ea918467e85d2ffc449a3c30e6441

Download Submit
C:\Users\Admin\AppData\Local\Temp\J5aLb7eg0Jg3.bat

Filesize
203B

MD5
8f7e26de20984ff7a6c513075bd936f8

SHA1
d8d93775874add070e08344c7ad7b28e7a7f1897

SHA256
4f89f76016a8cea15b7a041927476e429b8c7b9d81737c760b165cf035641028

SHA512
9fe6c5f4b6a112ae546c40972edeee7483d1e1e9673e97a18726a63764cbe1dc936a8f107b8b7218432c8ea08242dd06c6fada5148f41e5644b2d2f5d0612cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\LFhv6oNkHYxk.bat

Filesize
203B

MD5
b3a8f36196436032cf8f562c11044a9d

SHA1
e2be5f5011156e1f88da23412bed10ea51fb005d

SHA256
9b11440d51bb8bd4ddee5629caaa9699a591a79908916241f540580d1608dd7d

SHA512
37c037e4d9fe546bc0336c064c78b315e27b9bc989ef8316b8390a3fbaa2f725c24d5c685060f9614051447e06b9fcabdb65da467bdc6de046abc92a234f2f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\W14jWCnKdrVd.bat

Filesize
203B

MD5
15035c7b3191e9645937539912926e22

SHA1
ec4db4105aff8c4c85e349f894a821a88f21b2fd

SHA256
5e5b6ab07a912632a677712bb45e208f1133b0be6988c271274ecbfc6a59eaec

SHA512
9b819975735f92efac9afdf2b5160c2dcb24913a583d3ca03594fb082c5110f55b1959f9d4a6b5cbd61446125a1d943e844f4738e893aee82cc6628abf3a88d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WpQpsEEVMFpP.bat

Filesize
203B

MD5
5c152f1c86f27eba518182d5a5b63f28

SHA1
57b0d00a152cb9cdf0eab072648909a3f6fdcd89

SHA256
70360443a8d714b7496b2af9718bf74870c313cf7b341021f0a73af78ca34616

SHA512
08e10649778bb340e39f67f27bbc4c9171212194c050f48339fe52cae2596b89d328c977f97e149282c5147e04870753cb4901053002467a1a3ddbcb1d997370

Download Submit
C:\Users\Admin\AppData\Local\Temp\YD1TzSNyfjPD.bat

Filesize
203B

MD5
b4b0b4d44041f420ebf76ea1b8cca406

SHA1
d5e2eca1591f277fb9c83d83465ba67e6082722e

SHA256
d90c755c0ae06c48ecf9aed2a2f97aeceed73bc46e5e9e2feba37e71d4590f82

SHA512
8662554b5f0d35bd6d9a6eb4c09765a0a0519e46bb2a6ae3774bb35405074104ffb575fd6163c604c22accaa6f20509e744f659b05c3158755f937dcc29641e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbjgbABz8YzS.bat

Filesize
203B

MD5
75366c026973874149934bc6229af6df

SHA1
c4246eb887fe3a89644e78131868703312198ebc

SHA256
1d970cc92e75ef234b038fac46688f679e61df70563485aee76a2c0ab0fbbec9

SHA512
7449be931e8bd13642fe0999afd9e6457ddaa57e1989bcf26fdf71021b1df8d6c9d0f5c68d83ef088a3e89f063048d2c66f1b750e835f89ce4e38a247ae85bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\l7BkwrkFE5ty.bat

Filesize
203B

MD5
25b9c80abe1d7d23026223b049e06dbf

SHA1
7ad7c8ec370b0399430ce65dbbd52b24f63d8ed3

SHA256
6892394bac71185668f314ce7c0a1ef1a9da93725a34c34914836dc2cd61757e

SHA512
06a939c4993e12881bc2b2efc576b52d6d7992a7752ec1e5a569e2907c15b19f9f64f5205c9ddd2ec8fdefab3346f1e895d39daec3aaca1598a2bba50663db30

Download Submit
C:\Users\Admin\AppData\Local\Temp\m6AwqtjekpM9.bat

Filesize
203B

MD5
075cc52ebb838ef93c139d3dbf4ba911

SHA1
7985a62695b52a801906812c28ed29981b62dce0

SHA256
0abb8125cd595128a9ee8ed5f5386322534df9f738c6199383537d5efdbe0fb7

SHA512
7764d07af05c28cda6feefebda22ad66248ec387e384980fd224aec5d8cb2a982367f742e90edde973d592b32649886fa3de9de6f3d4ef24122d72cc46ac2a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\pWrcV2FiRLLm.bat

Filesize
203B

MD5
bab44630130bd09e2e4196bd772638ba

SHA1
d581aeda69b3428b95f0b3257d11461bf76e3c14

SHA256
e5e6737a244214687e7093e2ce77b6b530ed6f0af37020307ffec8405bf3d9d8

SHA512
91c39dcc72b3437c4d5a1fa95d7ac04a9a178651bfa7419c0d8a1fdac7c17c7526cee74013001b18ef4c5e2ded84e6db39d4a2132b0962e0e8e48a9dfde98bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\rG9TPPcZtdpU.bat

Filesize
203B

MD5
6dd2578d724fef896cff9238b1b051d8

SHA1
c756220879115373be309c31154afedae6f12edb

SHA256
9a4970f449e0ffcd74279a89c8ca3cf49b368d46d75a54dcb571d8ed676cb10b

SHA512
5c8f1720abf003bedcbc4cc0278f0de0c6417158d9bf1199b87f0f584dfdaf49e80665067727796f2c1154c280b72e6181a329293ebd11e8c088eecb0cdb0885

Download Submit
C:\Users\Admin\AppData\Local\Temp\tjBsYHWPeXxI.bat

Filesize
203B

MD5
7f785afb6cbfc3392944ed1cb943c628

SHA1
7082583965addb7d88f5920a4bb54b60b565bfe0

SHA256
aa3198d995a85603dbb19de52a92f5c2360ea9103020e374e9f2352b1f6c00cf

SHA512
4869d7e40133252d3b7685a63c94221d23a83b6fa0e196e08fa17e015468198a75202a69e929c602e474a383c1ef821ca13c48de24aebbb1a1c56393b093ae11

Download Submit
C:\Users\Admin\AppData\Local\Temp\wGv53sLdePPR.bat

Filesize
203B

MD5
b8404194a5d8370a75780d7f28aff14f

SHA1
57750518c866fa63732023da9c35672fc5fbd56c

SHA256
3ec6a1ab27220a0825e75f66b84873b6ef1aa543e989c50142a30429f05f6a35

SHA512
fdeab72b4e9108df710a52a160a6dd98608e8c86de85644964f6e11e95de2e3255d8c20ef3858a48e9a56045442b91eb26be7873cfffa17f8a5993725acb2e54

Download Submit
C:\Windows\System32\SubDir\bloom reducer.exe

Filesize
502KB

MD5
df5da5f129d8b2b9ebcadd00f88da030

SHA1
afe7fbc6c2462fcdab5edfb40db828297832b5ea

SHA256
3e77ae72af3f9a18de88cb41b6686253d5b20e2ed215a26217b96520415db1d5

SHA512
6832b2c35b367190ba4a4eb8ac54476c63836321c8d77089c86c6b2016dba6badd4d6555ec450433a572b7b3b8388f2b4b793e720f859ddf8e6db2b5b8d21fac

Download Submit
memory/2292-17-0x00007FF8D56E0000-0x00007FF8D61A1000-memory.dmp

Filesize
10.8MB

Download
memory/2292-12-0x000000001BDA0000-0x000000001BE52000-memory.dmp

Filesize
712KB

Download
memory/2292-11-0x000000001BC90000-0x000000001BCE0000-memory.dmp

Filesize
320KB

Download
memory/2292-10-0x00007FF8D56E0000-0x00007FF8D61A1000-memory.dmp

Filesize
10.8MB

Download
memory/2292-8-0x00007FF8D56E0000-0x00007FF8D61A1000-memory.dmp

Filesize
10.8MB

Download
memory/3392-0-0x00007FF8D56E3000-0x00007FF8D56E5000-memory.dmp

Filesize
8KB

Download
memory/3392-9-0x00007FF8D56E0000-0x00007FF8D61A1000-memory.dmp

Filesize
10.8MB

Download
memory/3392-2-0x00007FF8D56E0000-0x00007FF8D61A1000-memory.dmp

Filesize
10.8MB

Download
memory/3392-1-0x0000000000340000-0x00000000003C4000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads