Analysis Overview

score

10^/10

SHA256

8c8a3846e1f9c9aef9566158cbe5c69f26ea1d1167f387bea8ab9a6f8de2b31e

Threat Level: Known bad

The file 1b1eb2ec84ec46145969c46749dc4063.bin was found to be: Known bad.

Malicious Activity Summary

it was the first day back to school cuttin up in class actin like a tool friends are rollin in we started talkin bout the summer dj saw twilight bummer i spoke up and i asked my friends "are there any new girls? nines or tens?" hopin a few hotties had moved from other cities and in walked this girl with tig 'ol bitties whoo i can't believe my eyes in a contest they'd win first prize double d, guarantee i was checkin the size it's like two beach balls in a shirt disguise or earth and mars havin some fun wait i take that back it's like two of the sun but at this point i let my mind run and drifted off thinkin bout them tig 'ol bitties hah, tig 'ol bitties mount fuji brought it's twin tig 'ol bitties two melons in a shirt tig 'ol bitties tig 'ol bitties i put books in my lap tig 'ol bitties heads bobbin as she walks tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties kept trippin in class cuz of her dang breasts in a tiny white shirt boobs havin a fiesta later in lab we were messin with test tubes couldn't keep my eyes off the new girls chest boobs! wasn't payin attention got busted had to serve detention in biology we talked about the bees the best kinda bees boob-bees whoo i can't believe my mind i hold a pokerface to her two of a kind with each step her breasts gettin redefined i'm makin my move i'm thinkin it's time oh snap i'mma ask her to prom and in my head she responds "you're the bomb" feelin nervous so i count to three "i like your boobs, go to prom with me?" hah, tig 'ol bitties king kong boobs tig 'ol bitties great tracks of land tig 'ol bitties tig 'ol bitties like my balls tig 'ol bitties real big tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties she said yes so i'm gettin ready stain on my shirt mom's spaghetti i pick her up and i'm pretty sure that she'll let me motor-boat like rrrrrr i try to cop a feel once we get to school she said "no touching, that's the rule" principal walks up on the scene "it's time to announce prom king and queen your favorite martian and tig 'ol bitties congratulations to you both on winning" time slowed down and she jumped for joy when out of her dress jumped something more tissues flew and rained from the sky oh my god you stuff your shirt!? your favorite martian in a world of hurt awwww fake 'ol bitties wow! fake 'ol bitties you breakin my heart with fake 'ol bitties you're crushin my dreams with fake 'ol bitties fake 'ol bitties i can't believable it fake 'ol bitties you really suck fake 'ol bitties i can't believe you would do that fake 'ol bitties fake 'ol bitties why would you do that when you're just trying to get everyone's attention stuffed boobs! they're lies! lies i tell you! but you know i'm still down to make out if you if you want to, want to come back with me you know what, never mindit was the first day back to school cuttin up in class actin like a tool friends are rollin in we started talkin bout the summer dj saw twilight bummer i spoke up and i asked my friends "are there any new girls? nines or tens?" hopin a few hotties had moved from other cities and in walked this girl with tig 'ol bitties whoo i can't believe my eyes in a contest they'd win first prize double d, guarantee i was checkin the size it's like two beach balls in a shirt disguise or earth and mars havin some fun wait i take that back it's like two of the sun but at this point i let my mind run and drifted off thinkin bout them tig 'ol bitties hah, tig 'ol bitties mount fuji brought it's twin tig 'ol bitties two melons in a shirt tig 'ol bitties tig 'ol bitties i put books in my lap tig 'ol bitties heads bobbin as she walks tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties kept trippin in class cuz of her dang breasts in a tiny white shirt boobs havin a fiesta later in lab we were messin with test tubes couldn't keep my eyes off the new girls chest boobs! wasn't payin attention got busted had to serve detention in biology we talked about the bees the best kinda bees boob-bees whoo i can't believe my mind i hold a pokerface to her two of a kind with each step her breasts gettin redefined i'm makin my move i'm thinkin it's time oh snap i'mma ask her to prom and in my head she responds "you're the bomb" feelin nervous so i count to three "i like your boobs, go to prom with me?" hah, tig 'ol bitties king kong boobs tig 'ol bitties great tracks of land tig 'ol bitties tig 'ol bitties like my balls tig 'ol bitties real big tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties she said yes so i'm gettin ready stain on my shirt mom's spaghetti i pick her up and i'm pretty sure that she'll let me motor-boat like rrrrrr i try to cop a feel once we get to school she said "no touching, that's the rule" principal walks up on the scene "it's time to announce prom king and queen your favorite martian and tig 'ol bitties congratulations to you both on winning" time slowed down and she jumped for joy when out of her dress jumped something more tissues flew and rained from the sky oh my god you stuff your shirt!? your favorite martian in a world of hurt awwww fake 'ol bitties wow! fake 'ol bitties you breakin my heart with fake 'ol bitties you're crushin my dreams with fake 'ol bitties fake 'ol bitties i can't believable it fake 'ol bitties you really suck fake 'ol bitties i can't believe you would do that fake 'ol bitties fake 'ol bitties why would you do that when you're just trying to get everyone's attention stuffed boobs! they're lies! lies i tell you! but you know i'm still down to make out if you if you want to, want to come back with me you know what, never mindit was the first day back to school cuttin up in class actin like a tool friends are rollin in we started talkin bout the summer dj saw twilight bummer i spoke up and i asked my friends "are there any new girls? nines or tens?" hopin a few hotties had moved from other cities and in walked this girl with tig 'ol bitties whoo i can't believe my eyes in a contest they'd win first prize double d, guarantee i was checkin the size it's like two beach balls in a shirt disguise or earth and mars havin some fun wait i take that back it's like two of the sun but at this point i let my mind run and drifted off thinkin bout them tig 'ol bitties hah, tig 'ol bitties mount fuji brought it's twin tig 'ol bitties two melons in a shirt tig 'ol bitties tig 'ol bitties i put books in my lap tig 'ol bitties heads bobbin as she walks tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties kept trippin in class cuz of her dang breasts in a tiny white shirt boobs havin a fiesta later in lab we were messin with test tubes couldn't keep my eyes off the new girls chest boobs! wasn't payin attention got busted had to serve detention in biology we talked about the bees the best kinda bees boob-bees whoo i can't believe my mind i hold a pokerface to her two of a kind with each step her breasts gettin redefined i'm makin my move i'm thinkin it's time oh snap i'mma ask her to prom and in my head she responds "you're the bomb" feelin nervous so i count to three "i like your boobs, go to prom with me?" hah, tig 'ol bitties king kong boobs tig 'ol bitties great tracks of land tig 'ol bitties tig 'ol bitties like my balls tig 'ol bitties real big tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties she said yes so i'm gettin ready stain on my shirt mom's spaghetti i pick her up and i'm pretty sure that she'll let me motor-boat like rrrrrr i try to cop a feel once we get to school she said "no touching, that's the rule" principal walks up on the scene "it's time to announce prom king and queen your favorite martian and tig 'ol bitties congratulations to you both on winning" time slowed down and she jumped for joy when out of her dress jumped something more tissues flew and rained from the sky oh my god you stuff your shirt!? your favorite martian in a world of hurt awwww fake 'ol bitties wow! fake 'ol bitties you breakin my heart with fake 'ol bitties you're crushin my dreams with fake 'ol bitties fake 'ol bitties i can't believable it fake 'ol bitties you really suck fake 'ol bitties i can't believe you would do that fake 'ol bitties fake 'ol bitties why would you do that when you're just trying to get everyone's attention stuffed boobs! they're lies! lies i tell you! but you know i'm still down to make out if you if you want to, want to come back with me you know what, never mindit was the first day back to school cuttin up in class actin like a tool friends are rollin in we started talkin bout the summer dj saw twilight bummer i spoke up and i asked my friends "are there any new girls? nines or tens?" hopin a few hotties had moved from other cities and in walked this girl with tig 'ol bitties whoo i can't believe my eyes in a contest they'd win first prize double d, guarantee i was checkin the size it's like two beach balls in a shirt disguise or earth and mars havin some fun wait i take that back it's like two of the sun but at this point i let my mind run and drifted off thinkin bout them tig 'ol bitties hah, tig 'ol bitties mount fuji brought it's twin tig 'ol bitties two melons in a shirt tig 'ol bitties tig 'ol bitties i put books in my lap tig 'ol bitties heads bobbin as she walks tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties kept trippin in class cuz of her dang breasts in a tiny white shirt boobs havin a fiesta later in lab we were messin with test tubes couldn't keep my eyes off the new girls chest boobs! wasn't payin attention got busted had to serve detention in biology we talked about the bees the best kinda bees boob-bees whoo i can't believe my mind i hold a pokerface to her two of a kind with each step her breasts gettin redefined i'm makin my move i'm thinkin it's time oh snap i'mma ask her to prom and in my head she responds "you're the bomb" feelin nervous so i count to three "i like your boobs, go to prom with me?" hah, tig 'ol bitties king kong boobs tig 'ol bitties great tracks of land tig 'ol bitties tig 'ol bitties like my balls tig 'ol bitties real big tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties she said yes so i'm gettin ready stain on my shirt mom's spaghetti i pick her up and i'm pretty sure that she'll let me motor-boat like rrrrrr i try to cop a feel once we get to school she said "no touching, that's the rule" principal walks up on the scene "it's time to announce prom king and queen your favorite martian and tig 'ol bitties congratulations to you both on winning" time slowed down and she jumped for joy when out of her dress jumped something more tissues flew and rained from the sky oh my god you stuff your shirt!? your favorite martian in a world of hurt awwww fake 'ol bitties wow! fake 'ol bitties you breakin my heart with fake 'ol bitties you're crushin my dreams with fake 'ol bitties fake 'ol bitties i can't believable it fake 'ol bitties you really suck fake 'ol bitties i can't believe you would do that fake 'ol bitties fake 'ol bitties why would you do that when you're just trying to get everyone's attention stuffed boobs! they're lies! lies i tell you! but you know i'm still down to make out if you if you want to, want to come back with me you know what, never mindit was the first day back to school cuttin up in class actin like a tool friends are rollin in we started talkin bout the summer dj saw twilight bummer i spoke up and i asked my friends "are there any new girls? nines or tens?" hopin a few hotties had moved from other cities and in walked this girl with tig 'ol bitties whoo i can't believe my eyes in a contest they'd win first prize double d, guarantee i was checkin the size it's like two beach balls in a shirt disguise or earth and mars havin some fun wait i take that back it's like two of the sun but at this point i let my mind run and drifted off thinkin bout them tig 'ol bitties hah, tig 'ol bitties mount fuji brought it's twin tig 'ol bitties two melons in a shirt tig 'ol bitties tig 'ol bitties i put books in my lap tig 'ol bitties heads bobbin as she walks tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties kept trippin in class cuz of her dang breasts in a tiny white shirt boobs havin a fiesta later in lab we were messin with test tubes couldn't keep my eyes off the new girls chest boobs! wasn't payin attention got busted had to serve detention in biology we talked about the bees the best kinda bees boob-bees whoo i can't believe my mind i hold a pokerface to her two of a kind with each step her breasts gettin redefined i'm makin my move i'm thinkin it's time oh snap i'mma ask her to prom and in my head she responds "you're the bomb" feelin nervous so i count to three "i like your boobs, go to prom with me?" hah, tig 'ol bitties king kong boobs tig 'ol bitties great tracks of land tig 'ol bitties tig 'ol bitties like my balls tig 'ol bitties real big tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties she said yes so i'm gettin ready stain on my shirt mom's spaghetti i pick her up and i'm pretty sure that she'll let me motor-boat like rrrrrr i try to cop a feel once we get to school she said "no touching, that's the rule" principal walks up on the scene "it's time to announce prom king and queen your favorite martian and tig 'ol bitties congratulations to you both on winning" time slowed down and she jumped for joy when out of her dress jumped something more tissues flew and rained from the sky oh my god you stuff your shirt!? your favorite martian in a world of hurt awwww fake 'ol bitties wow! fake 'ol bitties you breakin my heart with fake 'ol bitties you're crushin my dreams with fake 'ol bitties fake 'ol bitties i can't believable it fake 'ol bitties you really suck fake 'ol bitties i can't believe you would do that fake 'ol bitties fake 'ol bitties why would you do that when you're just trying to get everyone's attention stuffed boobs! they're lies! lies i tell you! but you know i'm still down to make out if you if you want to, want to come back with me you know what, never mindit was the first day back to school cuttin up in class actin like a tool friends are rollin in we started talkin bout the summer dj saw twilight bummer i spoke up and i asked my friends "are there any new girls? nines or tens?" hopin a few hotties had moved from other cities and in walked this girl with tig 'ol bitties whoo i can't believe my eyes in a contest they'd win first prize double d, guarantee i was checkin the size it's like two beach balls in a shirt disguise or earth and mars havin some fun wait i take that back it's like two of the sun but at this point i let my mind run and drifted off thinkin bout them tig 'ol bitties hah, tig 'ol bitties mount fuji brought it's twin tig 'ol bitties two melons in a shirt tig 'ol bitties tig 'ol bitties i put books in my lap tig 'ol bitties heads bobbin as she walks tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties kept trippin in class cuz of her dang breasts in a tiny white shirt boobs havin a fiesta later in lab we were messin with test tubes couldn't keep my eyes off the new girls chest boobs! wasn't payin attention got busted had to serve detention in biology we talked about the bees the best kinda bees boob-bees whoo i can't believe my mind i hold a pokerface to her two of a kind with each step her breasts gettin redefined i'm makin my move i'm thinkin it's time oh snap i'mma ask her to prom and in my head she responds "you're the bomb" feelin nervous so i count to three "i like your boobs, go to prom with me?" hah, tig 'ol bitties king kong boobs tig 'ol bitties great tracks of land tig 'ol bitties tig 'ol bitties like my balls tig 'ol bitties real big tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties she said yes so i'm gettin ready stain on my shirt mom's spaghetti i pick her up and i'm pretty sure that she'll let me motor-boat like rrrrrr i try to cop a feel once we get to school she said "no touching, that's the rule" principal walks up on the scene "it's time to announce prom king and queen your favorite martian and tig 'ol bitties congratulations to you both on winning" time slowed down and she jumped for joy when out of her dress jumped something more tissues flew and rained from the sky oh my god you stuff your shirt!? your favorite martian in a world of hurt awwww fake 'ol bitties wow! fake 'ol bitties you breakin my heart with fake 'ol bitties you're crushin my dreams with fake 'ol bitties fake 'ol bitties i can't believable it fake 'ol bitties you really suck fake 'ol bitties i can't believe you would do that fake 'ol bitties fake 'ol bitties why would you do that when you're just trying to get everyone's attention stuffed boobs! they're lies! lies i tell you! but you know i'm still down to make out if you if you want to, want to come back with me you know what, never mindit was the first day back to school cuttin up in class actin like a tool friends are rollin in we started talkin bout the summer dj saw twilight bummer i spoke up and i asked my friends "are there any new girls? nines or tens?" hopin a few hotties had moved from other cities and in walked this girl with tig 'ol bitties whoo i can't believe my eyes in a contest they'd win first prize double d, guarantee i was checkin the size it's like two beach balls in a shirt disguise or earth and mars havin some fun wait i take that back it's like two of the sun but at this point i let my mind run and drifted off thinkin bout them tig 'ol bitties hah, tig 'ol bitties mount fuji brought it's twin tig 'ol bitties two melons in a shirt tig 'ol bitties tig 'ol bitties i put books in my lap tig 'ol bitties heads bobbin as she walks tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties kept trippin in class cuz of her dang breasts in a tiny white shirt boobs havin a fiesta later in lab we were messin with test tubes couldn't keep my eyes off the new girls chest boobs! wasn't payin attention got busted had to serve detention in biology we talked about the bees the best kinda bees boob-bees whoo i can't believe my mind i hold a pokerface to her two of a kind with each step her breasts gettin redefined i'm makin my move i'm thinkin it's time oh snap i'mma ask her to prom and in my head she responds "you're the bomb" feelin nervous so i count to three "i like your boobs, go to prom with me?" hah, tig 'ol bitties king kong boobs tig 'ol bitties great tracks of land tig 'ol bitties tig 'ol bitties like my balls tig 'ol bitties real big tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties she said yes so i'm gettin ready stain on my shirt mom's spaghetti i pick her up and i'm pretty sure that she'll let me motor-boat like rrrrrr i try to cop a feel once we get to school she said "no touching, that's the rule" principal walks up on the scene "it's time to announce prom king and queen your favorite martian and tig 'ol bitties congratulations to you both on winning" time slowed down and she jumped for joy when out of her dress jumped something more tissues flew and rained from the sky oh my god you stuff your shirt!? your favorite martian in a world of hurt awwww fake 'ol bitties wow! fake 'ol bitties you breakin my heart with fake 'ol bitties you're crushin my dreams with fake 'ol bitties fake 'ol bitties i can't believable it fake 'ol bitties you really suck fake 'ol bitties i can't believe you would do that fake 'ol bitties fake 'ol bitties why would you do that when you're just trying to get everyone's attention stuffed boobs! they're lies! lies i tell you! but you know i'm still down to make out if you if you want to, want to come back with me you know what, never mindit was the first day back to school cuttin up in class actin like a tool friends are rollin in we started talkin bout the summer dj saw twilight bummer i spoke up and i asked my friends "are there any new girls? nines or tens?" hopin a few hotties had moved from other cities and in walked this girl with tig 'ol bitties whoo i can't believe my eyes in a contest they'd win first prize double d, guarantee i was checkin the size it's like two beach balls in a shirt disguise or earth and mars havin some fun wait i take that back it's like two of the sun but at this point i let my mind run and drifted off thinkin bout them tig 'ol bitties hah, tig 'ol bitties mount fuji brought it's twin tig 'ol bitties two melons in a shirt tig 'ol bitties tig 'ol bitties i put books in my lap tig 'ol bitties heads bobbin as she walks tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties kept trippin in class cuz of her dang breasts in a tiny white shirt boobs havin a fiesta later in lab we were messin with test tubes couldn't keep my eyes off the new girls chest boobs! wasn't payin attention got busted had to serve detention in biology we talked about the bees the best kinda bees boob-bees whoo i can't believe my mind i hold a pokerface to her two of a kind with each step her breasts gettin redefined i'm makin my move i'm thinkin it's time oh snap i'mma ask her to prom and in my head she responds "you're the bomb" feelin nervous so i count to three "i like your boobs, go to prom with me?" hah, tig 'ol bitties king kong boobs tig 'ol bitties great tracks of land tig 'ol bitties tig 'ol bitties like my balls tig 'ol bitties real big tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties she said yes so i'm gettin ready stain on my shirt mom's spaghetti i pick her up and i'm pretty sure that she'll let me motor-boat like rrrrrr i try to cop a feel once we get to school she said "no touching, that's the rule" principal walks up on the scene "it's time to announce prom king and queen your favorite martian and tig 'ol bitties congratulations to you both on winning" time slowed down and she jumped for joy when out of her dress jumped something more tissues flew and rained from the sky oh my god you stuff your shirt!? your favorite martian in a world of hurt awwww fake 'ol bitties wow! fake 'ol bitties you breakin my heart with fake 'ol bitties you're crushin my dreams with fake 'ol bitties fake 'ol bitties i can't believable it fake 'ol bitties you really suck fake 'ol bitties i can't believe you would do that fake 'ol bitties fake 'ol bitties why would you do that when you're just trying to get everyone's attention stuffed boobs! they're lies! lies i tell you! but you know i'm still down to make out if you if you want to, want to come back with me you know what, never mindit was the first day back to school cuttin up in class actin like a tool friends are rollin in we started talkin bout the summer dj saw twilight bummer i spoke up and i asked my friends "are there any new girls? nines or tens?" hopin a few hotties had moved from other cities and in walked this girl with tig 'ol bitties whoo i can't believe my eyes in a contest they'd win first prize double d, guarantee i was checkin the size it's like two beach balls in a shirt disguise or earth and mars havin some fun wait i take that back it's like two of the sun but at this point i let my mind run and drifted off thinkin bout them tig 'ol bitties hah, tig 'ol bitties mount fuji brought it's twin tig 'ol bitties two melons in a shirt tig 'ol bitties tig 'ol bitties i put books in my lap tig 'ol bitties heads bobbin as she walks tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties kept trippin in class cuz of her dang breasts in a tiny white shirt boobs havin a fiesta later in lab we were messin with test tubes couldn't keep my eyes off the new girls chest boobs! wasn't payin attention got busted had to serve detention in biology we talked about the bees the best kinda bees boob-bees whoo i can't believe my mind i hold a pokerface to her two of a kind with each step her breasts gettin redefined i'm makin my move i'm thinkin it's time oh snap i'mma ask her to prom and in my head she responds "you're the bomb" feelin nervous so i count to three "i like your boobs, go to prom with me?" hah, tig 'ol bitties king kong boobs tig 'ol bitties great tracks of land tig 'ol bitties tig 'ol bitties like my balls tig 'ol bitties real big tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties she said yes so i'm gettin ready stain on my shirt mom's spaghetti i pick her up and i'm pretty sure that she'll let me motor-boat like rrrrrr i try to cop a feel once we get to school she said "no touching, that's the rule" principal walks up on the scene "it's time to announce prom king and queen your favorite martian and tig 'ol bitties congratulations to you both on winning" time slowed down and she jumped for joy when out of her dress jumped something more tissues flew and rained from the sky oh my god you stuff your shirt!? your favorite martian in a world of hurt awwww fake 'ol bitties wow! fake 'ol bitties you breakin my heart with fake 'ol bitties you're crushin my dreams with fake 'ol bitties fake 'ol bitties i can't believable it fake 'ol bitties you really suck fake 'ol bitties i can't believe you would do that fake 'ol bitties fake 'ol bitties why would you do that when you're just trying to get everyone's attention stuffed boobs! they're lies! lies i tell you! but you know i'm still down to make out if you if you want to, want to come back with me you know what, never mindit was the first day back to school cuttin up in class actin like a tool friends are rollin in we started talkin bout the summer dj saw twilight bummer i spoke up and i asked my friends "are there any new girls? nines or tens?" hopin a few hotties had moved from other cities and in walked this girl with tig 'ol bitties whoo i can't believe my eyes in a contest they'd win first prize double d, guarantee i was checkin the size it's like two beach balls in a shirt disguise or earth and mars havin some fun wait i take that back it's like two of the sun but at this point i let my mind run and drifted off thinkin bout them tig 'ol bitties hah, tig 'ol bitties mount fuji brought it's twin tig 'ol bitties two melons in a shirt tig 'ol bitties tig 'ol bitties i put books in my lap tig 'ol bitties heads bobbin as she walks tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties kept trippin in class cuz of her dang breasts in a tiny white shirt boobs havin a fiesta later in lab we were messin with test tubes couldn't keep my eyes off the new girls chest boobs! wasn't payin attention got busted had to serve detention in biology we talked about the bees the best kinda bees boob-bees whoo i can't believe my mind i hold a pokerface to her two of a kind with each step her breasts gettin redefined i'm makin my move i'm thinkin it's time oh snap i'mma ask her to prom and in my head she responds "you're the bomb" feelin nervous so i count to three "i like your boobs, go to prom with me?" hah, tig 'ol bitties king kong boobs tig 'ol bitties great tracks of land tig 'ol bitties tig 'ol bitties like my balls tig 'ol bitties real big tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties she said yes so i'm gettin ready stain on my shirt mom's spaghetti i pick her up and i'm pretty sure that she'll let me motor-boat like rrrrrr i try to cop a feel once we get to school she said "no touching, that's the rule" principal walks up on the scene "it's time to announce prom king and queen your favorite martian and tig 'ol bitties congratulations to you both on winning" time slowed down and she jumped for joy when out of her dress jumped something more tissues flew and rained from the sky oh my god you stuff your shirt!? your favorite martian in a world of hurt awwww fake 'ol bitties wow! fake 'ol bitties you breakin my heart with fake 'ol bitties you're crushin my dreams with fake 'ol bitties fake 'ol bitties i can't believable it fake 'ol bitties you really suck fake 'ol bitties i can't believe you would do that fake 'ol bitties fake 'ol bitties why would you do that when you're just trying to get everyone's attention stuffed boobs! they're lies! lies i tell you! but you know i'm still down to make out if you if you want to, want to come back with me you know what, never mindit was the first day back to school cuttin up in class actin like a tool friends are rollin in we started talkin bout the summer dj saw twilight bummer i spoke up and i asked my friends "are there any new girls? nines or tens?" hopin a few hotties had moved from other cities and in walked this girl with tig 'ol bitties whoo i can't believe my eyes in a contest they'd win first prize double d, guarantee i was checkin the size it's like two beach balls in a shirt disguise or earth and mars havin some fun wait i take that back it's like two of the sun but at this point i let my mind run and drifted off thinkin bout them tig 'ol bitties hah, tig 'ol bitties mount fuji brought it's twin tig 'ol bitties two melons in a shirt tig 'ol bitties tig 'ol bitties i put books in my lap tig 'ol bitties heads bobbin as she walks tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties kept trippin in class cuz of her dang breasts in a tiny white shirt boobs havin a fiesta later in lab we were messin with test tubes couldn't keep my eyes off the new girls chest boobs! wasn't payin attention got busted had to serve detention in biology we talked about the bees the best kinda bees boob-bees whoo i can't believe my mind i hold a pokerface to her two of a kind with each step her breasts gettin redefined i'm makin my move i'm thinkin it's time oh snap i'mma ask her to prom and in my head she responds "you're the bomb" feelin nervous so i count to three "i like your boobs, go to prom with me?" hah, tig 'ol bitties king kong boobs tig 'ol bitties great tracks of land tig 'ol bitties tig 'ol bitties like my balls tig 'ol bitties real big tig 'ol bitties oh my god! tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties tig 'ol bitties she said yes so i'm gettin ready stain on my shirt mom's spaghetti i pick her up and i'm pretty sure that she'll let me motor-boat like rrrrrr i try to cop a feel once we get to school she said "no t quasar spyware trojan

Quasar RAT

Quasar payload

Quasar family

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs ping.exe

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

System Information Discovery

T1082

Remote System Discovery

Analysis: static1

Detonation Overview

Reported

2024-06-11 01:34

Signatures

Quasar family

quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 01:34

Reported

2024-06-11 01:37

Platform

win7-20240221-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\schtasks.exe	N/A
N/A	N/A	C:\Windows\system32\schtasks.exe	N/A
N/A	N/A	C:\Windows\system32\schtasks.exe	N/A
N/A	N/A	C:\Windows\system32\schtasks.exe	N/A
N/A	N/A	C:\Windows\system32\schtasks.exe	N/A
N/A	N/A	C:\Windows\system32\schtasks.exe	N/A
N/A	N/A	C:\Windows\system32\schtasks.exe	N/A
N/A	N/A	C:\Windows\system32\schtasks.exe	N/A
N/A	N/A	C:\Windows\system32\schtasks.exe	N/A
N/A	N/A	C:\Windows\system32\schtasks.exe	N/A
N/A	N/A	C:\Windows\system32\schtasks.exe	N/A
N/A	N/A	C:\Windows\system32\schtasks.exe	N/A
N/A	N/A	C:\Windows\system32\schtasks.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2044 wrote to memory of 3024	N/A	C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe	C:\Windows\system32\schtasks.exe
PID 2044 wrote to memory of 3024	N/A	C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe	C:\Windows\system32\schtasks.exe
PID 2044 wrote to memory of 3024	N/A	C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe	C:\Windows\system32\schtasks.exe
PID 2044 wrote to memory of 2700	N/A	C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 2044 wrote to memory of 2700	N/A	C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 2044 wrote to memory of 2700	N/A	C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 2700 wrote to memory of 2560	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\schtasks.exe
PID 2700 wrote to memory of 2560	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\schtasks.exe
PID 2700 wrote to memory of 2560	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\schtasks.exe
PID 2700 wrote to memory of 2716	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 2700 wrote to memory of 2716	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 2700 wrote to memory of 2716	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2416	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 2716 wrote to memory of 2416	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 2716 wrote to memory of 2416	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 2716 wrote to memory of 2156	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 2716 wrote to memory of 2156	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 2716 wrote to memory of 2156	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 2716 wrote to memory of 1660	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 2716 wrote to memory of 1660	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 2716 wrote to memory of 1660	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 1660 wrote to memory of 1212	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\schtasks.exe
PID 1660 wrote to memory of 1212	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\schtasks.exe
PID 1660 wrote to memory of 1212	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\schtasks.exe
PID 1660 wrote to memory of 2756	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2756	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2756	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 2756 wrote to memory of 240	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 2756 wrote to memory of 240	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 2756 wrote to memory of 240	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 2756 wrote to memory of 1584	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 2756 wrote to memory of 1584	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 2756 wrote to memory of 1584	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 2756 wrote to memory of 1896	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 2756 wrote to memory of 1896	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 2756 wrote to memory of 1896	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 1896 wrote to memory of 1688	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\schtasks.exe
PID 1896 wrote to memory of 1688	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\schtasks.exe
PID 1896 wrote to memory of 1688	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\schtasks.exe
PID 1896 wrote to memory of 1752	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 1896 wrote to memory of 1752	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 1896 wrote to memory of 1752	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 1752 wrote to memory of 448	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 1752 wrote to memory of 448	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 1752 wrote to memory of 448	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 1752 wrote to memory of 1104	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 1752 wrote to memory of 1104	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 1752 wrote to memory of 1104	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 1752 wrote to memory of 1244	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 1752 wrote to memory of 1244	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 1752 wrote to memory of 1244	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 1244 wrote to memory of 2888	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 2888	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 2888	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 2384	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 2384	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 2384	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 2384 wrote to memory of 2596	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 2384 wrote to memory of 2596	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 2384 wrote to memory of 2596	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 2384 wrote to memory of 636	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 2384 wrote to memory of 636	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 2384 wrote to memory of 636	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 2384 wrote to memory of 2056	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe

"C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\z8xTrPX75zv6.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\V23xDKlVfTx3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\xF9PIplEx3WW.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\P6MpYx6S6k3g.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AWK5JyC0UJPM.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\PFFNN8viPHAx.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\EZmeo2IV2bu6.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DjPZYLMDhkYp.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\B0We3ZLHky7x.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\iFVeSjbkx81E.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\gjz87PbHDXCj.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KpcbrDyEq2pE.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

N/A

Files

memory/2044-0-0x000007FEF5C23000-0x000007FEF5C24000-memory.dmp

memory/2044-1-0x0000000000A30000-0x0000000000D68000-memory.dmp

memory/2044-2-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

MD5	1b1eb2ec84ec46145969c46749dc4063
SHA1	e1a988e15bd7184c9539b6f024ce80ce6b79d95e
SHA256	8c8a3846e1f9c9aef9566158cbe5c69f26ea1d1167f387bea8ab9a6f8de2b31e
SHA512	ccd4ae2047a50772120f59f75dfc9e0ae44af351e3c2871d32c93e32cee0348dc1380d9d2aecae5498608a017f5e8f7ae331ad68cced350dd27eb395525c1142

memory/2044-8-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

memory/2700-10-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

memory/2700-9-0x0000000000AB0000-0x0000000000DE8000-memory.dmp

memory/2700-11-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\z8xTrPX75zv6.bat

MD5	50af7defa4df31ec03ffc85d10bb21c0
SHA1	ad485bf3374c26024e5fec99812e89fc84a11a3a
SHA256	851c62b4d2c0682ffe1482775788330eee15ac2ab91d2f68930f9beb35a1773c
SHA512	1390132b49755ccad9e83588268ea625e9dcfc9ad8fb24f9bd64a839120474f1ca2ebc01910e8a7668e890997414bb0f6eac84f1ffb85565ce2849b92f38ad80

memory/2700-21-0x000007FEF5C20000-0x000007FEF660C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\V23xDKlVfTx3.bat

MD5	4358312daf5a4746b7791a0babdf42d1
SHA1	6f0be490ad171c91b30be87dd8c87aacc9f01214
SHA256	e26b5a290bda9c3a56f3e8eea76a5c651953a6cef191ff501d07c15467863bf4
SHA512	6b1a837bd1cf932d6e9854a581a773a30c1b352c044dcfcbb52aebf001992ffaa8bbb341055fc74d17199117f66a3215eae5fa7270bbc998a0c0dc4267ffa206

memory/1896-33-0x0000000001030000-0x0000000001368000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xF9PIplEx3WW.bat

MD5	6d0468245f2794d9f201310285b1f1d2
SHA1	b1a4f48aebc3e1692a28bcfc9e68e4c0d22ad84b
SHA256	5ce2f8c69e713286502381203cc75ca862ddfd9f2e06b52dcb3cc368b3569726
SHA512	628e94e0ac9608cb14c1432fa3a58e2221d98728d82301358477a1d6945b8858f0022f0a70ba6b1d8716e3672ded259168d29ce5a4e92d76c0501297dc56935e

C:\Users\Admin\AppData\Local\Temp\P6MpYx6S6k3g.bat

MD5	6c4ff361c5124fa6eceb5cdf41993f8b
SHA1	8d8b83531ebd369a2858d7186fc08f306f4c7d90
SHA256	4c14ca4e9c8bce08f87200957f42b6f665b93234e699f0b3f43954b437f00619
SHA512	93a0e19d657a63c9217d16e87751703b62e23b469fa7a41e107a8aa93c74a0e3f860fc4bfaf963acbd4f70343b05bb47a930dd3087344dc1515f07149b3d2bab

C:\Users\Admin\AppData\Local\Temp\AWK5JyC0UJPM.bat

MD5	98e00fe2c8b4ca039e67c689fa362132
SHA1	c3b9e32343946bb09621c041257fbf0d1cf3aeeb
SHA256	5d02b076eb98e33214d668df26134775917a695d5af5a9ef8f19b32edee26c6d
SHA512	ba4a467d5328348f760a684f8c0cbaf22303ba3d3aa7cda1b29b8a9e8bcc7de3cf60e66b4cb4959ccf84ab9806a024e71343cc375b63c9cbcdba998a10a3d9e7

C:\Users\Admin\AppData\Local\Temp\PFFNN8viPHAx.bat

MD5	f124b2451bb96db50f7d77c90d00ae1c
SHA1	5d7bdefc04558275b800fabbe9183607f2144b17
SHA256	a14077c5d02e93c4c69e07d235953d428bbf2d343a4ba31085a3d3b9fdf4536f
SHA512	3539e17dcb10adfb743d619ef8c09f89a9d36e3a19ede6f646fa044785e352ed26b42f385775957be3ee2304806c713a27400eb29ae9e5ec6b6e8dd067042440

\??\PIPE\lsarpc

MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512	cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\EZmeo2IV2bu6.bat

MD5	c51a873b33395bf846e078b9ce3a3296
SHA1	a7fc1042d26862ba99e58cb6e2f1a47e0f9a3e5b
SHA256	997bfaca072cb00ac616eb87d11fab0d520e9aeb277f80c2d2321d60cbf3ef55
SHA512	fd760c8b962831ce36120483c884fe97718e94bd6365d524d555404c8b8f983e4c3f6b43e3402799a561c2636792c1464d518653b75094c9a899aaec95089cd0

memory/2400-85-0x0000000000280000-0x00000000005B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DjPZYLMDhkYp.bat

MD5	c3f1f61197895d9c40b53fa869085cf4
SHA1	f8892cbf5668f7085e5b4ffa2c7f4e209558d9b9
SHA256	3a2f1f67b4b3942d1bd1a74e19dda9e39613b50d6d4cb64ae5bd6dd045558a9f
SHA512	ec69c81dd9bd1fc8046638cc07f5dc6789ded8507b1fbf5851a0c6e389cc25d1b213316ee14743fa7f0b361ccd07c81a0aaae966ec04d8b0b5624771c021e9f3

memory/2760-96-0x00000000009F0000-0x0000000000D28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B0We3ZLHky7x.bat

MD5	3a52debb04737c612b0741ada41ff107
SHA1	d257e10bfc05468792f5feec0581d86785bcb493
SHA256	a807dfbf3757b5232c56f4658b93a0e10a505977b5f3d35aca791e332429cc45
SHA512	4f6f3fb3aa19e585fcb455fd10a7221af200377bdd883ae1dd77f7c51279d11fcaa5423fd0aeb237477302dd9b07fb8a898fd60d5c840e375d764a9c93b93933

memory/544-108-0x0000000000210000-0x0000000000548000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iFVeSjbkx81E.bat

MD5	db5fb46818156738c7fedf61d400452e
SHA1	70377c688cbdda740b1e90d8ad36938655605115
SHA256	09ec0349fa2fefb1bb6f5fac8122d19e1acd3dd9fe3992fb1066faf6429747b1
SHA512	79d8fe096143de3d05ba5419b6289e37df5574fa6ec86f092bb480a94d34d1ad51bb2e21711dcda624c64a2f43268b37c502fca895f3d4a61a1975889bfd37ff

memory/2944-119-0x00000000009A0000-0x0000000000CD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gjz87PbHDXCj.bat

MD5	f287651a7e926986dc689be96761fa72
SHA1	3e058a0901f7851f2920ba4fc83a5839f98afee1
SHA256	d3d27070b4ed5eb711084472616ba154f07a9e2757f04a92d46db142c428573b
SHA512	ece6196f0fd52ed408f50ffa798b086b19dc7a64858f47f3fca187a6147ecb061ff536740be23c09f3aa6b2053b1170c08af66f5ba447ccdab1f6cceafab5fc9

C:\Users\Admin\AppData\Local\Temp\KpcbrDyEq2pE.bat

MD5	56319a1a5d22a74eb17e9b66bb9057ea
SHA1	ecafd15bed074f6b7049d774c65996f2bea25765
SHA256	59c0f8b960777af9e54abd02874d50565101428fe71bd33b422c9f2142ed4d41
SHA512	2021e54d5497d009fcaa3fe11b6985a02bb4e0ef84ce37fad1418644ac8bda80d6718eb47f62774a3b68cb5c5bba6bcbcee7f870214c37e878e1c771757bf079

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 01:34

Reported

2024-06-11 01:37

Platform

win10v2004-20240426-en

Max time kernel

142s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SYSTEM32\schtasks.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\schtasks.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\schtasks.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\schtasks.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\schtasks.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\schtasks.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\schtasks.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\schtasks.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\schtasks.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\schtasks.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\schtasks.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\schtasks.exe	N/A
N/A	N/A	C:\Windows\SYSTEM32\schtasks.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A
N/A	N/A	C:\Windows\system32\PING.EXE	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4500 wrote to memory of 3004	N/A	C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe	C:\Windows\SYSTEM32\schtasks.exe
PID 4500 wrote to memory of 3004	N/A	C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe	C:\Windows\SYSTEM32\schtasks.exe
PID 4500 wrote to memory of 4892	N/A	C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 4500 wrote to memory of 4892	N/A	C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 4892 wrote to memory of 3608	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\SYSTEM32\schtasks.exe
PID 4892 wrote to memory of 3608	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\SYSTEM32\schtasks.exe
PID 4892 wrote to memory of 3940	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 4892 wrote to memory of 3940	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 3940 wrote to memory of 4364	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 3940 wrote to memory of 4364	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 3940 wrote to memory of 3748	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 3940 wrote to memory of 3748	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 3940 wrote to memory of 732	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 3940 wrote to memory of 732	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 732 wrote to memory of 5028	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\SYSTEM32\schtasks.exe
PID 732 wrote to memory of 5028	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\SYSTEM32\schtasks.exe
PID 732 wrote to memory of 4596	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 732 wrote to memory of 4596	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 4596 wrote to memory of 4284	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 4596 wrote to memory of 4284	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 4596 wrote to memory of 3580	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 4596 wrote to memory of 3580	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 4596 wrote to memory of 1060	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 4596 wrote to memory of 1060	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 1060 wrote to memory of 3388	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\SYSTEM32\schtasks.exe
PID 1060 wrote to memory of 3388	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\SYSTEM32\schtasks.exe
PID 1060 wrote to memory of 1900	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 1060 wrote to memory of 1900	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 1900 wrote to memory of 2108	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 1900 wrote to memory of 2108	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 1900 wrote to memory of 4100	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 1900 wrote to memory of 4100	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 1900 wrote to memory of 4624	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 1900 wrote to memory of 4624	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 4624 wrote to memory of 4644	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\SYSTEM32\schtasks.exe
PID 4624 wrote to memory of 4644	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\SYSTEM32\schtasks.exe
PID 4624 wrote to memory of 4172	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 4624 wrote to memory of 4172	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 4172 wrote to memory of 1708	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 4172 wrote to memory of 1708	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 4172 wrote to memory of 4636	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 4172 wrote to memory of 4636	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 4172 wrote to memory of 708	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 4172 wrote to memory of 708	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 708 wrote to memory of 544	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\SYSTEM32\schtasks.exe
PID 708 wrote to memory of 544	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\SYSTEM32\schtasks.exe
PID 708 wrote to memory of 4268	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 708 wrote to memory of 4268	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 4268 wrote to memory of 4340	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 4268 wrote to memory of 4340	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 4268 wrote to memory of 4776	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 4268 wrote to memory of 4776	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 4268 wrote to memory of 2232	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 4268 wrote to memory of 2232	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 2232 wrote to memory of 3016	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\SYSTEM32\schtasks.exe
PID 2232 wrote to memory of 3016	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\SYSTEM32\schtasks.exe
PID 2232 wrote to memory of 4844	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 2232 wrote to memory of 4844	N/A	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe	C:\Windows\system32\cmd.exe
PID 4844 wrote to memory of 3356	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 4844 wrote to memory of 3356	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\chcp.com
PID 4844 wrote to memory of 5104	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 4844 wrote to memory of 5104	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\PING.EXE
PID 4844 wrote to memory of 3412	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe
PID 4844 wrote to memory of 3412	N/A	C:\Windows\system32\cmd.exe	C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe

"C:\Users\Admin\AppData\Local\Temp\1b1eb2ec84ec46145969c46749dc4063.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KzjNhzGYvUfH.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H7KwHdO7JuoR.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mRHiYENnzM4J.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sdxaNdWhXxGC.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoNwjSSktdMD.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U8E8pkxWxlS7.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\T6o6axoqdLja.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cY2MjAvJlNDq.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7fI5KnZy2hnq.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TAQhe8uuITIh.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a6bIYiJvngCL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8kZ08cqPzjD8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	97.17.167.52.in-addr.arpa	udp
N/A	224.0.0.251:5353		udp
US	8.8.8.8:53	10.160.77.104.in-addr.arpa	udp
US	8.8.8.8:53	136.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	95.221.229.192.in-addr.arpa	udp
US	8.8.8.8:53	58.55.71.13.in-addr.arpa	udp
US	8.8.8.8:53	183.59.114.20.in-addr.arpa	udp
US	8.8.8.8:53	198.187.3.20.in-addr.arpa	udp
US	8.8.8.8:53	154.239.44.20.in-addr.arpa	udp
US	8.8.8.8:53	6.160.77.104.in-addr.arpa	udp
US	8.8.8.8:53	11.227.111.52.in-addr.arpa	udp

Files

memory/4500-0-0x00007FFF197C3000-0x00007FFF197C5000-memory.dmp

memory/4500-1-0x0000000000EC0000-0x00000000011F8000-memory.dmp

memory/4500-2-0x00007FFF197C0000-0x00007FFF1A281000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Byfron.exe

MD5	1b1eb2ec84ec46145969c46749dc4063
SHA1	e1a988e15bd7184c9539b6f024ce80ce6b79d95e
SHA256	8c8a3846e1f9c9aef9566158cbe5c69f26ea1d1167f387bea8ab9a6f8de2b31e
SHA512	ccd4ae2047a50772120f59f75dfc9e0ae44af351e3c2871d32c93e32cee0348dc1380d9d2aecae5498608a017f5e8f7ae331ad68cced350dd27eb395525c1142

memory/4500-9-0x00007FFF197C0000-0x00007FFF1A281000-memory.dmp

memory/4892-10-0x00007FFF197C0000-0x00007FFF1A281000-memory.dmp

memory/4892-11-0x00007FFF197C0000-0x00007FFF1A281000-memory.dmp

memory/4892-12-0x000000001BE90000-0x000000001BEE0000-memory.dmp

memory/4892-13-0x000000001BFA0000-0x000000001C052000-memory.dmp

memory/4892-18-0x00007FFF197C0000-0x00007FFF1A281000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KzjNhzGYvUfH.bat

MD5	241890348c609720c2ce7d066ec25bfd
SHA1	4d88200dfd749345eeea4b6dd3c57d75c68b6e12
SHA256	abc24908c4d2f6d18e37413aa4ec05f39918d2f6731edafcdd1ca601cfa5ee34
SHA512	077287db5330c8cc4e092a0e9541302727e9195d1c9a69629ee79886f813e117c526ba5358706143ce1ad1658b198f980c5d83bbc8299b84ad6bcead6c411bbc

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Byfron.exe.log

MD5	8f0271a63446aef01cf2bfc7b7c7976b
SHA1	b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256	da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512	78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Users\Admin\AppData\Local\Temp\H7KwHdO7JuoR.bat

MD5	b0e054b830c8328aa98e9dc569729654
SHA1	350da6783deb5f2ed2a40ddcc3c56f09c1e98aa5
SHA256	554d8b152d7e15ecf2d91cc40f0747c5a31b19f672864311321aa8665dd9351a
SHA512	dde49a83bf39c18d60125dc3206e3dde00e91a31736816da9ce5722fc07b39da95a9b8bf32700880faccb7a3f8d43c9b0da6b9a98385556e170b41ee2bf5f594

C:\Users\Admin\AppData\Local\Temp\mRHiYENnzM4J.bat

MD5	684883e6bb138e1833c83c14429ab986
SHA1	e568ec66aa7743401854f45de63def3e3ece56a3
SHA256	2f81ba41bbb2336634589a0a8907e9a0d3cb952c61f797c41adce1de5965348b
SHA512	d9317c1f149a7c77453f6bc3862447a49ae5a143a7d713e2605316b3f780b1b40e696034f031028efcb39abeb3f27dd0c0c495ded52c42493b9ec6c7b7ab0309

C:\Users\Admin\AppData\Local\Temp\sdxaNdWhXxGC.bat

MD5	1c4e8efab754722654c542f56b533085
SHA1	130af68b9b2bc9dc52c91c0e41edd66d0a241b58
SHA256	d0c7e4cdcede117659c72aa4fd2cb87c00d2ba952ca80366ca6f2c6d4c13007b
SHA512	05b58d3c2eafc20f98dcdabf53d1a4e7792ef5134cab388b5cdc90e41b9b0187ddf6187be3d53c984ad48e510570b9803995b2f654143ff2a60da99442a210c0

C:\Users\Admin\AppData\Local\Temp\NoNwjSSktdMD.bat

MD5	21bb5f7761100865dfe5436d246c0ac3
SHA1	b04585cfab3eea6fbc33a0650287d363aa6aa5eb
SHA256	29dd5a1eab4cb1da573340f0a9fd8f0b9a0c5c86446b5b9da2a6da6bd4c6005d
SHA512	84ed0585020840bbcbbd9d2f6ef90e6ccd34abf64e034683ded7f77b93ad9f0a3461aa091dccd5ad4711799fc73f175f582e94fbbbfb2431e355e8eb7e671f60

C:\Users\Admin\AppData\Local\Temp\U8E8pkxWxlS7.bat

MD5	525c203d8e0da32acf2b172e5a45cea4
SHA1	b80d33760d9ead0f3d28b3e81a266960d71266c9
SHA256	663b5a38e8164f0013e6ba695b6e367a0caaa37f61d0632a24ea651dfbad993d
SHA512	bb7dbd6f09240af654dfe32e5d97e3459a0b71fb60d325d908640b67f1c6e07aaa53f1275cf8b45cc3d3a86ee9f80860acf6d5bdca8a06d298b3772ddbaf07d7

C:\Users\Admin\AppData\Local\Temp\T6o6axoqdLja.bat

MD5	1640f5203ddb765f7467cc845ee70600
SHA1	a8dc786d2aa215cbb67d35b1b87eb7ff760475b9
SHA256	bfc0979c3ecabad40f9f237f0df42055922894827af52e801b37143352ab5104
SHA512	ccadafb858daeaa7c979647efa2bf2db223f39dcdf12da4285dba4e17eb0eaea7e39c676576b9a33c9f4bab2b8c9d5993411db20e81a14af9ca92e3bd374bf01

C:\Users\Admin\AppData\Local\Temp\cY2MjAvJlNDq.bat

MD5	5e693dbc227fe7729dc9a24c4e7a6743
SHA1	be399a6b170179774281127ced29a07a176eb853
SHA256	7e796bb2d1338396aa31b5489959b1128e38ec4758e64bf69b0d47eedccefc1b
SHA512	080c64768f981ba6df6a6c72a6c8b175b66a27fb9efdf35f4d96fc80fb369699d8727d5ce127dd0c53f57754cd316724924076bf6d081f6de8a7f19721cfde27

C:\Users\Admin\AppData\Local\Temp\7fI5KnZy2hnq.bat

MD5	9934acc05632b28e3313542c6bc0c7b6
SHA1	dc88cfca5d1d74dbdb5d3769c275bc97090e78c1
SHA256	7c4177b398d34919bd62d819fdd25913da16f41d1b4ea61e90724a621e4247b0
SHA512	0457de13f66b04cb3c173fa1426c5f04ebeb56a49da3d2971036da6df5c3c3202c06d41f8a25a18eed885685f7f3ac18b4b578df1e69b089a155c1cf023b30d6

C:\Users\Admin\AppData\Local\Temp\TAQhe8uuITIh.bat

MD5	ac24360d0e2771aa5a803b074a08c7ae
SHA1	8e29d1d538fc903aeaa312f434bc6e056f7f2358
SHA256	575b2747771550ee27dcef8f6a9dcabe34b719f2a96c222601e31bddc2a7c7a8
SHA512	356bc1ae1d9122901b0765bd26aab073be5cdb5dbb1e2a12060533076ac00db91f3f0371d1517302d0731f84e421f9a6a956a1e8f3947d5088f53b871fdc4dd2

C:\Users\Admin\AppData\Local\Temp\a6bIYiJvngCL.bat

MD5	368c1c47adf589f80f996188637c595a
SHA1	e61d9d277a9b98278f419c90b611b2d43df4059f
SHA256	643fdb4ae2a2a88b7a13e65f92be058e38006dbf28f339612ebb94bdf6108fa5
SHA512	81cbb8bfaa16487505f0d2651ca86f4f2ee242e0eb03ca523bb87afc60c4d50e0048dae64d1392ff9d03de8ba8bfd916a542c795da093aba767c75d735fc8e9b

C:\Users\Admin\AppData\Local\Temp\8kZ08cqPzjD8.bat

MD5	82e428f8ea4c0de3767cb72b59218712
SHA1	52723f0c1245052fcc089f889956e49d39df494d
SHA256	46599ac38863945d332708a72e19e1c91c69d0adf3cad5b30dbd4dd48de494c3
SHA512	903de9c8dea566e3320c98a5a66699ac013cb30f763a8997cb71be00d459427418ccdb426141d0d0a03ac84e0d05354e1d5bd3dc6a2c841231df04028be69706

Malware Analysis Report

2024-08-06 11:39

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files