Malware Analysis Report

2024-10-10 12:59

Sample ID 240602-15cxrsgh5w
Target Solara.exe
SHA256 ac8a918e84ef35d0f4c0c05f68f50ba8700f00b0e4af46e9b798d4aba9d818ff
Tags
dcrat evasion infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac8a918e84ef35d0f4c0c05f68f50ba8700f00b0e4af46e9b798d4aba9d818ff

Threat Level: Known bad

The file Solara.exe was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer rat

Process spawned unexpected child process

DcRat

DCRat payload

Disables Task Manager via registry modification

Downloads MZ/PE file

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 22:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 22:13

Reported

2024-06-02 22:14

Platform

win11-20240426-en

Max time kernel

17s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe C:\intodll\agentSaves.exe N/A
File created C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe C:\intodll\agentSaves.exe N/A
File created C:\Program Files\7-Zip\Lang\smss.exe C:\intodll\agentSaves.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\29c1c3cc0f7685 C:\intodll\agentSaves.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Apply\6203df4a6bafc7 C:\intodll\agentSaves.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe C:\intodll\agentSaves.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Updates\Apply\6203df4a6bafc7 C:\intodll\agentSaves.exe N/A
File created C:\Program Files (x86)\Microsoft\csrss.exe C:\intodll\agentSaves.exe N/A
File created C:\Program Files (x86)\Microsoft\886983d96e3d3e C:\intodll\agentSaves.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe C:\intodll\agentSaves.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\c5b4cb5e9653cc C:\intodll\agentSaves.exe N/A
File created C:\Program Files (x86)\Windows Media Player\en-US\886983d96e3d3e C:\intodll\agentSaves.exe N/A
File created C:\Program Files\7-Zip\Lang\69ddcba757bf72 C:\intodll\agentSaves.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe C:\intodll\agentSaves.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SchCache\55b276f4edf653 C:\intodll\agentSaves.exe N/A
File created C:\Windows\SchCache\StartMenuExperienceHost.exe C:\intodll\agentSaves.exe N/A
File created C:\Windows\LiveKernelReports\24dbde2999530e C:\intodll\agentSaves.exe N/A
File created C:\Windows\Performance\WinSAT\DataStore\agentSaves.exe C:\intodll\agentSaves.exe N/A
File created C:\Windows\Vss\Writers\Application\121e5b5079f7c0 C:\intodll\agentSaves.exe N/A
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe C:\intodll\agentSaves.exe N/A
File created C:\Windows\diagnostics\index\StartMenuExperienceHost.exe C:\intodll\agentSaves.exe N/A
File created C:\Windows\Vss\Writers\Application\fontdrvhost.exe C:\intodll\agentSaves.exe N/A
File created C:\Windows\Performance\WinSAT\DataStore\a21309417955a6 C:\intodll\agentSaves.exe N/A
File created C:\Windows\Vss\Writers\Application\sysmon.exe C:\intodll\agentSaves.exe N/A
File opened for modification C:\Windows\Vss\Writers\Application\sysmon.exe C:\intodll\agentSaves.exe N/A
File created C:\Windows\Vss\Writers\Application\5b884080fd4f94 C:\intodll\agentSaves.exe N/A
File created C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\5940a34987c991 C:\intodll\agentSaves.exe N/A
File created C:\Windows\LiveKernelReports\WmiPrvSE.exe C:\intodll\agentSaves.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Wave.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings C:\intodll\agentSaves.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\intodll\agentSaves.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe N/A
Token: SeDebugPrivilege N/A C:\intodll\agentSaves.exe N/A
Token: SeDebugPrivilege N/A C:\intodll\agentSaves.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 916 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 916 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 916 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\Solara.exe C:\Users\Admin\AppData\Local\Temp\Wave.exe
PID 4328 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Windows\SysWOW64\WScript.exe
PID 4328 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Windows\SysWOW64\WScript.exe
PID 4328 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\Wave.exe C:\Windows\SysWOW64\WScript.exe
PID 3624 wrote to memory of 1888 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 1888 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 1888 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\intodll\agentSaves.exe
PID 1888 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\intodll\agentSaves.exe
PID 4540 wrote to memory of 4772 N/A C:\intodll\agentSaves.exe C:\intodll\agentSaves.exe
PID 4540 wrote to memory of 4772 N/A C:\intodll\agentSaves.exe C:\intodll\agentSaves.exe
PID 1888 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1888 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1888 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4772 wrote to memory of 4396 N/A C:\intodll\agentSaves.exe C:\Windows\System32\cmd.exe
PID 4772 wrote to memory of 4396 N/A C:\intodll\agentSaves.exe C:\Windows\System32\cmd.exe
PID 4396 wrote to memory of 3912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4396 wrote to memory of 3912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4396 wrote to memory of 1612 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe
PID 4396 wrote to memory of 1612 N/A C:\Windows\System32\cmd.exe C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Solara.exe

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

C:\Users\Admin\AppData\Local\Temp\Wave.exe

"C:\Users\Admin\AppData\Local\Temp\Wave.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intodll\SNnEeg5Q2Cv9CjuPi.bat" "

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\Application\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\Application\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\NetHood\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\SearchHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Users\Default User\SearchHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\SearchHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\intodll\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\intodll\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\intodll\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\intodll\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\intodll\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\intodll\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f

C:\intodll\agentSaves.exe

"C:\intodll\agentSaves.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\intodll\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\intodll\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\intodll\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\intodll\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\intodll\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\intodll\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SchCache\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Application\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\Application\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "agentSavesa" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\DataStore\agentSaves.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "agentSaves" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\agentSaves.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "agentSavesa" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\agentSaves.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\intodll\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\intodll\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\intodll\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c9ShmpXKCW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe

"C:\Program Files\Microsoft Office\Updates\Apply\lsass.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
PL 46.242.248.114:80 wojownicy.cloud tcp
PL 46.242.248.114:80 wojownicy.cloud tcp

Files

memory/916-0-0x00007FFDFEE33000-0x00007FFDFEE35000-memory.dmp

memory/916-1-0x0000000000820000-0x0000000000838000-memory.dmp

memory/916-2-0x00007FFDFEE30000-0x00007FFDFF8F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Wave.exe

MD5 685ff3fd7d167e37b45bda7c65fe191e
SHA1 b01fd735f75f2ac70fe78c30488cc19c0730378a
SHA256 b93a75b91fc959841d58f93830d4759f52e48ad15c16af9a18dd4d015623427f
SHA512 ae1389e64b5bf4ca6ced8a6ac1e17878684cd84ca8f342d8b3d2880129397d330838761c28e14327784fa627cedd1145036840af38dfe113e28208673d40a8b2

C:\intodll\y0LpePQk9XshIjFowHv2wkKGa7UJ.vbe

MD5 f1f4878ad9b863a501dc67c5abf778d8
SHA1 4e4bc06616ac50f2a213cb110db76a48726d1f8d
SHA256 05293f26bbcaf3bcc4047490be599c8e3663cf06be1422651ea2a42291cf6218
SHA512 a84fcfa4947c52531a9ae500e81ef69bed6fabb714190e9328e328bec23ca9b30c562d565aaccd3085ca086ae0814802ed54634c51bccbc6d5b84d3c8a75fb2c

C:\intodll\SNnEeg5Q2Cv9CjuPi.bat

MD5 3bcbf28bfcd7d6834260c1bfe587f748
SHA1 5903cf4f9af2c0fb7758d610cf55fca400681f31
SHA256 2c3da80e897eeac43a7af3256ff0d7ace9f47409eb807d3ea927386a18bb50b0
SHA512 1f3c27dfe1c4207a8e504e1e9fe05a00e411bf9391725d9606b189135d52896c6116d514ff339f1f825a27c283b19103725d8ada7ec3bd7337dd8ab8d1d004c4

C:\intodll\agentSaves.exe

MD5 8ee83bf5811c7d6dfc440def46698e1b
SHA1 ba308e644aa6da9c49b30cde55250bd21b46311d
SHA256 0829cf36a0c20e61d3b17d7567285d8c781956f11bcf5dfdf01bf7eec55639ee
SHA512 3b85bb9588e00962a3c6b7943682ea854dd07eb147328613a76ee12495182f293f8c9ca4e893a35998257308404d312dddeff5a2eb233f76d7360f86c0d9c61b

memory/4540-24-0x0000000000660000-0x0000000000736000-memory.dmp

memory/916-46-0x00007FFDFEE30000-0x00007FFDFF8F2000-memory.dmp

C:\Recovery\WindowsRE\66fc9ff0ee96c2

MD5 3bdbe46418ded0645e8fe71f787f7c3d
SHA1 1b8a171676535b4849b4d5c67e6b2caf0be2eb67
SHA256 c952e4ea221f51a2fcdb5bb7b6d06eb64bde2d83f3ea5a36fc0f512694b6b979
SHA512 fbaa970dab389ae57aaac64c23ee1e1ca67d326417e8af6893b4c237e946e64a00f352346de79feac809929447acf57854fcd94068e5c960f8aad8a770882865

C:\intodll\e1ef82546f0b02

MD5 630829d3e0378f17f99f97783639fc9b
SHA1 8e7df94816a990fffdc132e275abd3433953751f
SHA256 64da0c6e9c6ace6145c9de3f159cf5385e27b95637d9fe8d3097d380e94e0eab
SHA512 3b3559183750d5d973cfd05fb9f1922457022c6773f6b43efe41b1dd97b895ea49dcfb694a229df511302ecbdbab8948e2fc525248c697fc7a609ca4b52fe3b4

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\agentSaves.exe.log

MD5 400b532c938aca538f01c5616cf318cd
SHA1 598a59a9434e51a6416f91a4c83bd02505ecb846
SHA256 28e57db6d7535775b5e65c90ab208c7fe392e373056db5d35e76854270ecd05d
SHA512 b15583323c457d389b873eb31b8e59fef450c0c0e684b0f797231e8d0abace9227b15d4e45b45f4c79ad044a28cc3d79f9f7c2a81bd38e43b0c09f07aaa95b73

C:\Users\Admin\AppData\Local\Temp\c9ShmpXKCW.bat

MD5 12b63dedf363c1db2bf6d083ca36568b
SHA1 709a1d1c3384d37bb8a920c0bc7b4d9b91d5dfcf
SHA256 ed375d8dcc7ad3bbadce6219275990ce4f867706b43f798bca26e68e202481fb
SHA512 8ab6f3874e13e8127b99ff99a21d3638f2eb21ba61dde3144979063c7bd064873d8ed8fad452255ce316cd2ee0e6b2262df6ebd0593d8838c3896107a0acf623