Malware Analysis Report

2024-08-06 11:50

Sample ID 240609-c6ekzsdb22
Target Byfron.exe
SHA256 29bd747b03d4cc850e0c0733b4ff15a29ecd61de57701e4e6cc7aed90b83ef56
Tags
ohio quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29bd747b03d4cc850e0c0733b4ff15a29ecd61de57701e4e6cc7aed90b83ef56

Threat Level: Known bad

The file Byfron.exe was found to be: Known bad.

Malicious Activity Summary

ohio quasar spyware trojan

Quasar family

Quasar payload

Quasar RAT

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Remote System Discovery
T1018
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-09 02:41

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 02:41

Reported

2024-06-09 02:44

Platform

win10-20240404-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Byfron.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Byfron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4816 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Byfron.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4816 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\Byfron.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4816 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Byfron.exe C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 4816 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Byfron.exe C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 3648 wrote to memory of 216 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3648 wrote to memory of 216 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3648 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\system32\cmd.exe
PID 3648 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\system32\cmd.exe
PID 4488 wrote to memory of 4512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4488 wrote to memory of 4512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4488 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4488 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4488 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 4488 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 4548 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4548 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4548 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\system32\cmd.exe
PID 4548 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\system32\cmd.exe
PID 4612 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4612 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4612 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4612 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4612 wrote to memory of 4288 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 4612 wrote to memory of 4288 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 4288 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4288 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4288 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\system32\cmd.exe
PID 4288 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\system32\cmd.exe
PID 4748 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4748 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4748 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4748 wrote to memory of 1312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4748 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 4748 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 3148 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3148 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3148 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\system32\cmd.exe
PID 3148 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\system32\cmd.exe
PID 2060 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2060 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2060 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2060 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2060 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 2060 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 1792 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1792 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1792 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\system32\cmd.exe
PID 1792 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\system32\cmd.exe
PID 4476 wrote to memory of 64 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4476 wrote to memory of 64 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4476 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4476 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4476 wrote to memory of 4300 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 4476 wrote to memory of 4300 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 4300 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4300 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4300 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\system32\cmd.exe
PID 4300 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe C:\Windows\system32\cmd.exe
PID 3476 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3476 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3476 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3476 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3476 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 3476 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Byfron.exe

"C:\Users\Admin\AppData\Local\Temp\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QL60oPaY9TH0.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XZnENHZOweSx.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUwVP5LC1p4x.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mr2r4gC2PV56.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZEVaEL12xU9e.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\otcjA491IT6Q.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyMbeM5scY35.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\J9Tu0eGCazMb.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKDsBrS147pv.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bJ5B3o0Sl4WE.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5UyYUvTcmfnR.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sZEEx7dcoxLc.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2sf0w0l7WzLG.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp

Files

memory/4816-0-0x00007FFCC9C13000-0x00007FFCC9C14000-memory.dmp

memory/4816-1-0x0000000000D80000-0x00000000010A4000-memory.dmp

memory/4816-2-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Byfron.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/3648-10-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp

memory/3648-11-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

MD5 cb12954abfb20424cfc22e1c189ddfa9
SHA1 dc8cb9d361cebb1a4ca13ce904cdd7136c9255c2
SHA256 29bd747b03d4cc850e0c0733b4ff15a29ecd61de57701e4e6cc7aed90b83ef56
SHA512 54dafd06e682eef74fd9d1377917429b1b304bb0be185f32406dbdea56d6afd8047a213f3e40191a817931077ee448993d9adc6228a1ab042fee52b9ebac611f

memory/3648-13-0x000000001C320000-0x000000001C3D2000-memory.dmp

memory/3648-12-0x000000001C210000-0x000000001C260000-memory.dmp

memory/3648-18-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QL60oPaY9TH0.bat

MD5 694b0edf8a6f18cc334778791f1c9a87
SHA1 50ebe2159e558b25c7478d06be960cc796f4a547
SHA256 a771d16b5940bbea11d008e188482ce3285a8fdef4a6ec3f2b55e142d5d3e63f
SHA512 86b78e61a70b0ac1de47171e245b7f0431805b90450affa0e4a8b32959b6b75a42e4474fb88740be44b487696a4e17a52efd56404b3582c28df14ea463e37808

C:\Users\Admin\AppData\Local\Temp\XZnENHZOweSx.bat

MD5 3489eb1cb254d735204b46294776ea34
SHA1 62302fa9b1f1ab04495fd9d6d1d7668d1ca368a0
SHA256 ab8ad1d67ca3e0e8bb96d602c92e6949f86ad445032b5aff78e0fb71c7a3e500
SHA512 0e48e9f2f21625172d6f315753587d7468df3df7be8a248315024192f5be2022571027184196dcb5071d8ad73c31601998104ee2024fd9550cb289875a074fd8

memory/4816-24-0x00007FFCC9C10000-0x00007FFCCA5FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OUwVP5LC1p4x.bat

MD5 ad0f93d8b7661d83de6005e6725010cb
SHA1 4828b00f4f5485cf78836f9de9dd62e0e698094d
SHA256 51d4ff2d8df24795360715a989fd1cfc320f863312b3138755a6cb4df6fc3db1
SHA512 08caa26d634dc2c85b45942af38545d044afdd013ffd312eb6161ed98571b98b96248e154b3048188106be68a0ad25a9d9e7a3ebd929773f725606760b011b8d

C:\Users\Admin\AppData\Local\Temp\Mr2r4gC2PV56.bat

MD5 daeaa556994968f6f18a711d073a84c2
SHA1 383ad1d67e8c3c929ffd99b2a30aedf3c31e5e83
SHA256 1b9f50dfb9c6d1746d4dd0f1976eee6969e01ff864d9f7a301f419ae9a6cba69
SHA512 a53004469e70eb200dd2758df467093ea28f3c622d11f5e6519bfdaf229ca6cd272bb2616a5e3550333e57c28e21d9799e49d65e622a265e0ecd941c6ea84fde

C:\Users\Admin\AppData\Local\Temp\ZEVaEL12xU9e.bat

MD5 87683d04af6cff5c96836bd4a0257218
SHA1 10ac12074b26b281f96ec736568c0816f1960657
SHA256 9cf35c6c0ee5f0dae975eeef76ee2b52d037528636c608983c51b0456de3faae
SHA512 cf7592dcd3f4ff9298830bc2babaa33da6eb5e79d5b59303adea5d1898d2d0bbb51671a6ba315016074340302640580458aee413048f897710bee068e1c0f0ad

C:\Users\Admin\AppData\Local\Temp\otcjA491IT6Q.bat

MD5 72eafa5dca73de58363e45ebcb7d6149
SHA1 137d7ec1e08bfbaeb1fc535a5c3aa597e9cfca15
SHA256 f52f67720070241dbb2e7fcca85ca8ffcdec3edacd5615fcc7caa87ecc5dcbb6
SHA512 e8778aade22667e95aab7a803f318ed5bf2ebc2c9821caf5a9d55e4e18f716ff0c41e0017e0f519fe96bf6adf329bb4f1fbb18946f9f88c4dce4f5bf55e40034

C:\Users\Admin\AppData\Local\Temp\iyMbeM5scY35.bat

MD5 d15a30b5311747917648511a22ca57ed
SHA1 7cebe7d85d60932bf8c5fbf9c6b62bdd61447ed0
SHA256 419b7bf1d5ca8c0ea75831a0d233c91e6b9677b68fcb6213b257e213d38bebb1
SHA512 c88783f65dfe604d1b73fe4adc6a20c2d6ab333a348cb1c594fd22bb88310d19527e98b4c695b1e85791f161731efbf1808db3de0d0a4ddba9056dfa879b5963

C:\Users\Admin\AppData\Local\Temp\J9Tu0eGCazMb.bat

MD5 ed6ceaa216764a373ac62848d736efe0
SHA1 999733b1db6f1d31cc44d1d47e2afb521427f0c3
SHA256 0927d3ed02f35dcaa2b58b060b8ca2be9562f75d469188be1df6d1ce584ccc6d
SHA512 aa95a36bb773e48a59f67cfc9bf0d548b994f7fef4df02c1ce1305d523d70849cbe381f9c0537efff444710ccf1ef84a77db23099d59ed4951c1225ad6430c04

C:\Users\Admin\AppData\Local\Temp\GKDsBrS147pv.bat

MD5 37a9dff8f58d407957c44ce7adb40fcf
SHA1 87d0b60ef9fda397a87c7efb3e120602b7e4bcc9
SHA256 3959de9e5e992b18c2e4736df7d3ce6e15200d3af86003c3122d93101ee769bf
SHA512 38f4ffcb5d80c221ec72ff4a2787155b53548b338df0b110f438d8da37f072ea1b1a76fe7dd2b55b9e8c486f65b6a32c0185d0db9de85dbb476f7c8e5375659a

C:\Users\Admin\AppData\Local\Temp\bJ5B3o0Sl4WE.bat

MD5 612fdec1cdd4b95472680830db8be4f5
SHA1 6fa24972ca064c01d83d95f19b208981af94a46c
SHA256 df4600c9e7f749c46b0313268eab925bd91435696ce0ae78fa89fa167b2b8d46
SHA512 264293c78ca61759c022cb30bdc718f7c68aec0a431bfb6dfa0047b671bf13a058e15adce227a55c945ad19bf1d9a70dd886f16f2ac6da29060df13c8033c1dd

C:\Users\Admin\AppData\Local\Temp\5UyYUvTcmfnR.bat

MD5 e79a2a4eb425d4501020241f40e73105
SHA1 93a026c571bb8dce55b3981953a0f86c89a41ec9
SHA256 b21b5ad5adfadd345a3c90be8a4dc4680d948ab378438280f863eebacda8b6a9
SHA512 adf8579ae5b65f2be0f75e299deb6cba203024cd20afd8860d33e8333097e66138c681fc43b279919413a26d27f70cc96c802deeba027e2861b857c3da1d9f6b

C:\Users\Admin\AppData\Local\Temp\sZEEx7dcoxLc.bat

MD5 0e57ed661b8a55e24607e3c900884a4b
SHA1 c0dbc7560c6049829e47ca27d5525399eafc9d98
SHA256 fc94f6b3df351b8b072e191c39d837d7a3fcf6f47aa4ad9c20a7a828d0139781
SHA512 9b4746bfd3288e19b87dad6201a1ca6609dd0abc56021c860b0f09e09aa3332a82568ef4a8cc85f43a8f5fd7034285079559b5843e3b8cb3ca7f221f43270d22

C:\Users\Admin\AppData\Local\Temp\2sf0w0l7WzLG.bat

MD5 92709e37181ae5752172194d73d4100c
SHA1 20d5b14cd2d92890f71aa25035f6dd1367d52d51
SHA256 7956e74180106aa1d86a58d5bbde26b01dd7101d4bb35208eb46a8b5350723ac
SHA512 de033e69602511690442eb6f32a64ea61d6af59d285345b749d9d894ceead9239c07df6c2c26ecfff4b6dd01c87868a71a983f984c07c1c615e66eb07f55bc81