Resubmissions

04-08-2024 16:51

240804-vcxhtazejn 10

03-08-2024 18:23

240803-w1gb6swbnb 10

Analysis

  • max time kernel
    143s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    03-08-2024 18:23

General

  • Target

    Solara.exe

  • Size

    3.1MB

  • MD5

    3cf4f19b7c69135acb3c4c9bb9cdfb90

  • SHA1

    e2b5a40dd2abfa03671fde7c4e74f9b2846f989f

  • SHA256

    6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf

  • SHA512

    4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

  • SSDEEP

    49152:DvehBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaxAtueYFoGdXTHHB72eh2NT:DvAt2d5aKCuVPzlEmVQ0wvwf+tuee

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

nohchy-47404.portmap.host:47404

Mutex

1a1e174b-dbf8-49ad-9b43-2cfbb233a6d9

Attributes
  • encryption_key

    795CDD46D2CDD422BE523F263B64E03D8B6AAD42

  • install_name

    SolaraExecutor.exe

  • log_directory

    Logs

  • reconnect_delay

    2000

  • startup_key

    RtkAudUService64

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 10 IoCs
  • Executes dropped EXE 15 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2264
    • C:\Windows\system32\SubDir\SolaraExecutor.exe
      "C:\Windows\system32\SubDir\SolaraExecutor.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2768
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SK5H3Korz0Nr.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2940
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2808
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2688
          • C:\Windows\system32\SubDir\SolaraExecutor.exe
            "C:\Windows\system32\SubDir\SolaraExecutor.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2720
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2696
            • C:\Windows\system32\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\iS0vXBTx76Oq.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2500
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:1376
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2584
                • C:\Windows\system32\SubDir\SolaraExecutor.exe
                  "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:2344
                  • C:\Windows\system32\schtasks.exe
                    "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2892
                  • C:\Windows\system32\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\beIjAqYj6C0z.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2960
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:3000
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:2084
                      • C:\Windows\system32\SubDir\SolaraExecutor.exe
                        "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:1120
                        • C:\Windows\system32\schtasks.exe
                          "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:1464
                        • C:\Windows\system32\cmd.exe
                          cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ri9sI293ECw4.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2220
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:3068
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:3028
                            • C:\Windows\system32\SubDir\SolaraExecutor.exe
                              "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              PID:992
                              • C:\Windows\system32\schtasks.exe
                                "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:980
                              • C:\Windows\system32\cmd.exe
                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\O2DknaK2haHZ.bat" "
                                11⤵
                                  PID:912
                                  • C:\Windows\system32\chcp.com
                                    chcp 65001
                                    12⤵
                                      PID:1580
                                    • C:\Windows\system32\PING.EXE
                                      ping -n 10 localhost
                                      12⤵
                                      • System Network Configuration Discovery: Internet Connection Discovery
                                      • Runs ping.exe
                                      PID:2252
                                    • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                      "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of FindShellTrayWindow
                                      • Suspicious use of SendNotifyMessage
                                      PID:1700
                                      • C:\Windows\system32\schtasks.exe
                                        "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                        13⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1012
                                      • C:\Windows\system32\cmd.exe
                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\k2aD27vUHmUc.bat" "
                                        13⤵
                                          PID:1696
                                          • C:\Windows\system32\chcp.com
                                            chcp 65001
                                            14⤵
                                              PID:1432
                                            • C:\Windows\system32\PING.EXE
                                              ping -n 10 localhost
                                              14⤵
                                              • System Network Configuration Discovery: Internet Connection Discovery
                                              • Runs ping.exe
                                              PID:2412
                                            • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                              "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              PID:1636
                                              • C:\Windows\system32\schtasks.exe
                                                "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                15⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:876
                                              • C:\Windows\system32\cmd.exe
                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\byK9SXkdgp8k.bat" "
                                                15⤵
                                                  PID:2448
                                                  • C:\Windows\system32\chcp.com
                                                    chcp 65001
                                                    16⤵
                                                      PID:948
                                                    • C:\Windows\system32\PING.EXE
                                                      ping -n 10 localhost
                                                      16⤵
                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                      • Runs ping.exe
                                                      PID:2932
                                                    • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                      "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of FindShellTrayWindow
                                                      • Suspicious use of SendNotifyMessage
                                                      PID:2804
                                                      • C:\Windows\system32\schtasks.exe
                                                        "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                        17⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2808
                                                      • C:\Windows\system32\cmd.exe
                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4rinAEpdqkIa.bat" "
                                                        17⤵
                                                          PID:2644
                                                          • C:\Windows\system32\chcp.com
                                                            chcp 65001
                                                            18⤵
                                                              PID:2660
                                                            • C:\Windows\system32\PING.EXE
                                                              ping -n 10 localhost
                                                              18⤵
                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                              • Runs ping.exe
                                                              PID:2964
                                                            • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                              "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • Suspicious use of FindShellTrayWindow
                                                              • Suspicious use of SendNotifyMessage
                                                              PID:2696
                                                              • C:\Windows\system32\schtasks.exe
                                                                "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                19⤵
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:2604
                                                              • C:\Windows\system32\cmd.exe
                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\Wx4UDzm0raJA.bat" "
                                                                19⤵
                                                                  PID:2528
                                                                  • C:\Windows\system32\chcp.com
                                                                    chcp 65001
                                                                    20⤵
                                                                      PID:2524
                                                                    • C:\Windows\system32\PING.EXE
                                                                      ping -n 10 localhost
                                                                      20⤵
                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                      • Runs ping.exe
                                                                      PID:2500
                                                                    • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                      "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • Suspicious use of FindShellTrayWindow
                                                                      • Suspicious use of SendNotifyMessage
                                                                      PID:2996
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                        21⤵
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:3004
                                                                      • C:\Windows\system32\cmd.exe
                                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\PVZXIWmrS2Nq.bat" "
                                                                        21⤵
                                                                          PID:3056
                                                                          • C:\Windows\system32\chcp.com
                                                                            chcp 65001
                                                                            22⤵
                                                                              PID:2508
                                                                            • C:\Windows\system32\PING.EXE
                                                                              ping -n 10 localhost
                                                                              22⤵
                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                              • Runs ping.exe
                                                                              PID:2960
                                                                            • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                              "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • Suspicious use of FindShellTrayWindow
                                                                              • Suspicious use of SendNotifyMessage
                                                                              PID:2076
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                23⤵
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:2180
                                                                              • C:\Windows\system32\cmd.exe
                                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\IGBm0SBLYEQe.bat" "
                                                                                23⤵
                                                                                  PID:2164
                                                                                  • C:\Windows\system32\chcp.com
                                                                                    chcp 65001
                                                                                    24⤵
                                                                                      PID:2308
                                                                                    • C:\Windows\system32\PING.EXE
                                                                                      ping -n 10 localhost
                                                                                      24⤵
                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                      • Runs ping.exe
                                                                                      PID:2152
                                                                                    • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                      "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                      • Suspicious use of SendNotifyMessage
                                                                                      PID:1212
                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                        "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                        25⤵
                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                        PID:1192
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\nKsFkfG6mL8T.bat" "
                                                                                        25⤵
                                                                                          PID:2380
                                                                                          • C:\Windows\system32\chcp.com
                                                                                            chcp 65001
                                                                                            26⤵
                                                                                              PID:1308
                                                                                            • C:\Windows\system32\PING.EXE
                                                                                              ping -n 10 localhost
                                                                                              26⤵
                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                              • Runs ping.exe
                                                                                              PID:540
                                                                                            • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                              "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                              26⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                              • Suspicious use of SendNotifyMessage
                                                                                              PID:2400
                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                                27⤵
                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                PID:2128
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEDflr4PDprn.bat" "
                                                                                                27⤵
                                                                                                  PID:1428
                                                                                                  • C:\Windows\system32\chcp.com
                                                                                                    chcp 65001
                                                                                                    28⤵
                                                                                                      PID:1284
                                                                                                    • C:\Windows\system32\PING.EXE
                                                                                                      ping -n 10 localhost
                                                                                                      28⤵
                                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                      • Runs ping.exe
                                                                                                      PID:2020
                                                                                                    • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                                      "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                                      28⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                      • Suspicious use of SendNotifyMessage
                                                                                                      PID:2452
                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                        "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                                        29⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:676
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\SK0VdrIKZnli.bat" "
                                                                                                        29⤵
                                                                                                          PID:2928
                                                                                                          • C:\Windows\system32\chcp.com
                                                                                                            chcp 65001
                                                                                                            30⤵
                                                                                                              PID:1616
                                                                                                            • C:\Windows\system32\PING.EXE
                                                                                                              ping -n 10 localhost
                                                                                                              30⤵
                                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                              • Runs ping.exe
                                                                                                              PID:2356
                                                                                                            • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                                              "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                                              30⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                              PID:2864
                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                                                31⤵
                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                PID:3032
                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\Q5z56clmd1FE.bat" "
                                                                                                                31⤵
                                                                                                                  PID:2016
                                                                                                                  • C:\Windows\system32\chcp.com
                                                                                                                    chcp 65001
                                                                                                                    32⤵
                                                                                                                      PID:2072
                                                                                                                    • C:\Windows\system32\PING.EXE
                                                                                                                      ping -n 10 localhost
                                                                                                                      32⤵
                                                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                      • Runs ping.exe
                                                                                                                      PID:2668

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Users\Admin\AppData\Local\Temp\4rinAEpdqkIa.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        2e28037f8280fa9cf37b1dcf113426f0

                                                        SHA1

                                                        02138c5465618b6d895e8cf7cf02d7fc71193435

                                                        SHA256

                                                        36b86a7e6b946f856d983d8c298e0ce03d7298be15b2b10d098eb027f81d14c6

                                                        SHA512

                                                        8bc3e3dd8caf5e8b0b90907ab090c8fccd1e0b6d46a15cb491072edbac1992f698946364190f29d6fb8149ad4e0e827b74a5bd33b1d72d886d08dd1f4ed323a8

                                                      • C:\Users\Admin\AppData\Local\Temp\IGBm0SBLYEQe.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        4028c31e6a2f0fd3d0bbbadedd6360ac

                                                        SHA1

                                                        7ca6c6bc84d0ad92a11eeb1d29e082871dce1d03

                                                        SHA256

                                                        db3556d82c5549a768e55aa0ebd7031ccce49b28eaa8bbfcb4d726e8c0bbbfb8

                                                        SHA512

                                                        1204d42c4a5a0c963a77553f2a90b0d5aae377ed14bb4e7fa949298b697cb33386517da3ae2e875cf3d05f69c5e9a883317a57782ba65a4ac83bf2dd49a657fd

                                                      • C:\Users\Admin\AppData\Local\Temp\O2DknaK2haHZ.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        0f5d72c64a86ea20b6f168f6b54fe657

                                                        SHA1

                                                        c9696f4f041e9310f9bee98ae134c04d4ff61065

                                                        SHA256

                                                        d2f3e17ab4cd9a7c14e206d9e564412df154e1f307237205ac55d824ebef9fa5

                                                        SHA512

                                                        ab3ee8e9a50bee54af7ffb2f28c0cefb1622ea355b2feabaefd170a4642655598d5a83b5672d25db15ce98860f74f371de9c0c3c88198ea86e0aca6f13024e20

                                                      • C:\Users\Admin\AppData\Local\Temp\PVZXIWmrS2Nq.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        961eb5afc72e3107a5db40e4485a7a1f

                                                        SHA1

                                                        14589ec416210482a392e4dec315fd6cf7fcf505

                                                        SHA256

                                                        a5f8b777c40dfbfbcdc91c9c14ac9e390cc6c0b188724d9f6eab0bfa6282ec4c

                                                        SHA512

                                                        c11b555be400e849e7bacdec9c2a58ebadca1cc8f15359a032ebc3d622d1cdd6e5d127de29898dcc39de6d0ff28c5f9e905940c15a7aadbd1380bb0e24f31da9

                                                      • C:\Users\Admin\AppData\Local\Temp\Q5z56clmd1FE.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        0e40bfca38e6d18f0741ab7e481913b4

                                                        SHA1

                                                        48dd4e38353e0fa4b150c375cc0eb5d3f99c9320

                                                        SHA256

                                                        43816504e5fb1efcb51f7ac58e2de20df9ba9e7fd84de2a41838ae3f4495da4d

                                                        SHA512

                                                        efd34d3734de0d9938c5ee8f837a032a86a40b0605f73bf7c213f0633dfa43c34c835c7a9cc3316932488c6d7858e634047944ad4217b3d4bc65b1b75e9d18f9

                                                      • C:\Users\Admin\AppData\Local\Temp\Ri9sI293ECw4.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        c81e29311a100e26e92a8947844fbe21

                                                        SHA1

                                                        fb4aa1f97e3218a17637854d27253c2131c4c8be

                                                        SHA256

                                                        6905ee241e9379c31c13eaa8e5724ae2e4ac646786a5eac2da6c53e4fd16701a

                                                        SHA512

                                                        e12ec3c717e38ceb2e7fecdfa67b3cd66e40721f775330966765574a74125ae3333572fa429b0545e4f8a28ed86c066e12a341eb8849fa4c7e61c62dce7be4b4

                                                      • C:\Users\Admin\AppData\Local\Temp\SK0VdrIKZnli.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        18d19f99185c50ffad2cc72c52279adb

                                                        SHA1

                                                        a589fe9326e8dea1add7b254ac5feb83277b59ad

                                                        SHA256

                                                        9a861564c260c9a2bc3df68f9a83970eb5018a4b2abce05228645ff778ba43ce

                                                        SHA512

                                                        2d02808808ee90ac679e1ecb0895651506ed0740b16f7b0d9158d541e3ed9452844c52c7b71ece26e1701ce4ab388937747eb490cb350f1e6c3286207d44434b

                                                      • C:\Users\Admin\AppData\Local\Temp\SK5H3Korz0Nr.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        1e904951402540594e3973b60be84f3a

                                                        SHA1

                                                        1bb8916e0f09b68ddf27908a4126a2d96cfac2fe

                                                        SHA256

                                                        f33dbd16664e0b8431c7d54633de6670bca32066b96f92c5707bd023de154c03

                                                        SHA512

                                                        3cccca5195e06369e3e8848b93e90ca21d7dfb1ae1c5306911d21cc124a0095bad876ccfd2c2f58a589b0d42dccea6026da4986c57b0f0a9ea81e8c5ea432b1a

                                                      • C:\Users\Admin\AppData\Local\Temp\Wx4UDzm0raJA.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        58df4c494ab48a771825a368b5a12f4b

                                                        SHA1

                                                        523ff1b181e92e857ece5a06d2841647c89819cf

                                                        SHA256

                                                        1bac8ff9b514d4a1495076495a4b78731d89c90cff77b7507e0bd0afac1d8e64

                                                        SHA512

                                                        5ac08d05e409bef784ec14deb9c6b26087fcb1c939e79f6846d42fbbfb6622c510212932159d8f0b6ea7e635dc1f76a4e5f286125bfb06dcada472787bb21e5f

                                                      • C:\Users\Admin\AppData\Local\Temp\beIjAqYj6C0z.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        0aac68b6281df08809fe0f9d6e8f359b

                                                        SHA1

                                                        c3e46dfdcb85dcf0dd707c6b458ebde0e39274ea

                                                        SHA256

                                                        e10ca01e6e9463e6cb7004d5df6af9c63adf39f14dd76bfddcd76cc5fcef1ea2

                                                        SHA512

                                                        5c8eb8b4ebc3fc715e47fcdd12263264c9976f9fa74e99ab526a4273694290ce9e2ccbba2abff7d35c6dcd8db67638d01cd344275d9f5b70b8de1129946defcc

                                                      • C:\Users\Admin\AppData\Local\Temp\byK9SXkdgp8k.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        9d4d839443bc9078e7fa3fd0b4051b66

                                                        SHA1

                                                        4a8f6c5a81cb06abf977d38164f7fe614791d5a1

                                                        SHA256

                                                        437319723ee9d8c1aa816a1bae7b88220480756578193fee7b65f8375297f6df

                                                        SHA512

                                                        66682df9cb6244125b5301c75f6a93a4d7dd0f39989993bff172dc815cfa49461509ba00bd57acaabddd75078be4336e3683a580fabaf1af0861fa3cce7b0245

                                                      • C:\Users\Admin\AppData\Local\Temp\cEDflr4PDprn.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        efc7cfd002840a3cdac8d326ae41f201

                                                        SHA1

                                                        f27ecdfa6575f33265a646c0377a4428e80ce093

                                                        SHA256

                                                        1e296a914457f8611b349e35df9f442dbe0d13710854be6493178d4f55221917

                                                        SHA512

                                                        ce39d7c38517f51ef41be12ab0f738d3bcb7558a3d5d982eb21d742f9fd41797ca69c86f5a02d4ce8d2f327355fcf7be6bbb48319abbe2222d4039ca5f0af1b6

                                                      • C:\Users\Admin\AppData\Local\Temp\iS0vXBTx76Oq.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        5f01ec163e2840ef44aa8910e6e7945c

                                                        SHA1

                                                        1bbed0d1cac33db7734ca745f7d20593f0ba669b

                                                        SHA256

                                                        2d7482c76bca3ca62883c0987c98667cbf4042a92f653acfdc56298c19d65948

                                                        SHA512

                                                        49567b6501645b67e05af9e76e4fc34192928d3b0d2b5be8c42401a44e589b92f0c931adc19424ac675fd8c2a6b6f4918fbc61fe8a9353f86711e7992e6e292f

                                                      • C:\Users\Admin\AppData\Local\Temp\k2aD27vUHmUc.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        8654d987fae705fc8e04b2b60b8003fc

                                                        SHA1

                                                        6e451129ee730a78948439fd510bfbfb4513cb72

                                                        SHA256

                                                        78fceb7e52ed6aa1c212d3362163ed1c5a0a159cea804d5c36b8c78addec3d99

                                                        SHA512

                                                        432784146bd245ead560d229dd841f27bf641f2b6eb7227b38fb916933b1b85b510fe2606a5225918110994abc98b6d4c33a9b1241792795c57f307a204597fd

                                                      • C:\Users\Admin\AppData\Local\Temp\nKsFkfG6mL8T.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        498abdf9157efb2e0571d2ba1da7e0f0

                                                        SHA1

                                                        177a22f8a12f6b527183183c8ec80fa330628293

                                                        SHA256

                                                        9f555f7885848764c33e01ff99b236a1fcac13edef71003e9fe2c9df296b1f83

                                                        SHA512

                                                        f99cf4dcfd413d452f152ef1f59a46a4939b4d05d61d3ca99df81accd98666a5535d342a726d2593fb9c2012ce7e56d31127ed5641de5fb1d30c789bae382b51

                                                      • C:\Windows\System32\SubDir\SolaraExecutor.exe

                                                        Filesize

                                                        3.1MB

                                                        MD5

                                                        3cf4f19b7c69135acb3c4c9bb9cdfb90

                                                        SHA1

                                                        e2b5a40dd2abfa03671fde7c4e74f9b2846f989f

                                                        SHA256

                                                        6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf

                                                        SHA512

                                                        4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

                                                      • \??\PIPE\srvsvc

                                                        MD5

                                                        d41d8cd98f00b204e9800998ecf8427e

                                                        SHA1

                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                        SHA256

                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                        SHA512

                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                      • memory/992-56-0x0000000000E40000-0x0000000001164000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2300-9-0x00000000000B0000-0x00000000003D4000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2300-7-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2300-20-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2300-10-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2344-33-0x00000000009C0000-0x0000000000CE4000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2400-144-0x0000000001230000-0x0000000001554000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2544-0-0x000007FEF68F3000-0x000007FEF68F4000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/2544-8-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2544-2-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2544-1-0x0000000000AF0000-0x0000000000E14000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2696-100-0x0000000001190000-0x00000000014B4000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2720-22-0x0000000000240000-0x0000000000564000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2804-89-0x0000000001170000-0x0000000001494000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2864-167-0x0000000001370000-0x0000000001694000-memory.dmp

                                                        Filesize

                                                        3.1MB