Malware Analysis Report

2024-10-23 21:24

Sample ID 240804-bsehdssalp
Target 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe
SHA256 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
Tags
office04 quasar discovery spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf

Threat Level: Known bad

The file 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar discovery spyware trojan

Quasar RAT

Quasar payload

Quasar family

Checks computer location settings

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-04 01:24

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-04 01:24

Reported

2024-08-04 01:26

Platform

win7-20240708-en

Max time kernel

143s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe N/A
File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
N/A N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\system32\schtasks.exe
PID 2916 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\system32\schtasks.exe
PID 2916 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\system32\schtasks.exe
PID 2916 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2916 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2916 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2744 wrote to memory of 2132 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2744 wrote to memory of 2132 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2744 wrote to memory of 2132 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2744 wrote to memory of 2696 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2744 wrote to memory of 2696 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2744 wrote to memory of 2696 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2696 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2696 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2696 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2696 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2696 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2696 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2696 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2696 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2696 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2200 wrote to memory of 636 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2200 wrote to memory of 636 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2200 wrote to memory of 636 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2200 wrote to memory of 2780 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2200 wrote to memory of 2780 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2200 wrote to memory of 2780 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2780 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2780 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2780 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2780 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2780 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2780 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2780 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2780 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2780 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2624 wrote to memory of 2816 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2624 wrote to memory of 2816 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2624 wrote to memory of 2816 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2624 wrote to memory of 288 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2624 wrote to memory of 288 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2624 wrote to memory of 288 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 288 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 288 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 288 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 288 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 288 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 288 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 288 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 288 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 288 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2168 wrote to memory of 1888 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2168 wrote to memory of 1888 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2168 wrote to memory of 1888 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2168 wrote to memory of 2076 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2168 wrote to memory of 2076 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2168 wrote to memory of 2076 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2076 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2076 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2076 wrote to memory of 2908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2076 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2076 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2076 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2076 wrote to memory of 1248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe

"C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\w8lKwKzL6O1o.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\s8cSGWumUXcy.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\9a9JatYmIKwD.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kSp0LcAZqQIi.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ookcGWi0iaCr.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\2Gs52dFuOOAc.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fHUypsR5cZe8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\T4RnteHx2LUO.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ufVoy4qTmJBg.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\6wxKarHO4iDi.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XVn1Wk0PyNtH.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\z0fvVgTurJIq.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\MhLSwW5PbTD8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XC5vi1IMF8Fy.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\HV4X7nAPaktd.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 nohchy-47404.portmap.host udp

Files

memory/2916-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp

memory/2916-1-0x0000000000EF0000-0x0000000001214000-memory.dmp

memory/2916-2-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

C:\Windows\System32\SubDir\SolaraExecutor.exe

MD5 3cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1 e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA256 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA512 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

memory/2916-7-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/2744-8-0x0000000000D20000-0x0000000001044000-memory.dmp

memory/2744-10-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/2744-9-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\w8lKwKzL6O1o.bat

MD5 daddb1b98c2aa9bf6535c7cce995eafb
SHA1 774286ebd53cd08f20e739d16895fe66c76b14ff
SHA256 7aca139ed0eff45af2911354921132fde1d712363dffe4e7e8f961f056b1b9ee
SHA512 2c06abecd9afa7e47631b51dc1af960102f2f68d545ad21fff2615d5763d38c9bb1814d83692aa83580342d75915af281d5f2fa0a8c17a273f8b2d326e573d26

memory/2744-20-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp

memory/2200-22-0x0000000000280000-0x00000000005A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\s8cSGWumUXcy.bat

MD5 cbbdfa0bb326f7e63a367fe9be7fd888
SHA1 2cdcf825e9162be34502052dd37e3c4894a01df6
SHA256 32213a5b4f50dbe1e80db42be22d577671826cf47e9ca9ccb1eeb874520c88f1
SHA512 29d7b3b7d474cc779fa4d67c47f043873c14812a5d12494960f292c26938d5bb8831fbba79f85ef1763b229f4ac5f4733dea5e7cb4857ecbf72838acb72daf77

memory/2624-33-0x0000000000030000-0x0000000000354000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9a9JatYmIKwD.bat

MD5 b40ecb22a2201a9d4d8d8681007cf62e
SHA1 c19a9da42637d979e1e0024fbaa41ab9f99cc25d
SHA256 8cbe2131f43905764537dee5f4c00bf766ed73739d9a014c0bd347cebfb2874c
SHA512 ba3ca397e2ee4de281559a89d68cdc7ddd8252225faa3a06fdc9134fdd9e07da7e76eacdf6d0a46b210f51d100061145849010ab5177135047d68c8ed2e2f7a9

memory/2168-44-0x0000000001040000-0x0000000001364000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\kSp0LcAZqQIi.bat

MD5 6bedd3c7e9b0fb40977706b879ebb724
SHA1 ce075859e40ce7acd338a57f6d35bf739f455e8d
SHA256 13ca9f2cd94459756d71985964146fa82e546081c39ed276af3d03e717565cb0
SHA512 1dd682d606feb7353fc71b8b359a303550c6c89a20ac8035e7e715d386e8400380f7c37555074e1e31d7b8f9c4cbfab488545df0b30d2f522ec5afd20c971bae

memory/1248-56-0x0000000000120000-0x0000000000444000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ookcGWi0iaCr.bat

MD5 934d079a2a60a12fca0f174ce4e6d8ef
SHA1 76d9f8ff0397cbd956b3326dbb1caee5517093b8
SHA256 231e4645511ebc84e49a1658c129b5eccaac9bace556231d79176e74a937bfce
SHA512 4f7c846887eb7960dead87fcbb4323be89ecac59baa8957fc3c9f9f0301f0489f8e8e95b0039a93d037564afe233f8698e067ca785f776f9c020223d8cb452ac

memory/1444-67-0x00000000010F0000-0x0000000001414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2Gs52dFuOOAc.bat

MD5 de8778ddb3c735833bb8129de217f702
SHA1 85676f9bb246429bb6557c31cdb1f179a8dbab21
SHA256 f73c21b4ea8fd4885cc387a5b32a8f6f0103478cd5c52fdecd03390b7006d3d0
SHA512 8e9f18c5d5d995ede538aa71c10aadce16784d48597b571f44607e63a3ccbe2f16008bddb2f6d8f2f8b23d460a6e789cd5f60b71df178dcccdbec38dfdd8bd92

C:\Users\Admin\AppData\Local\Temp\fHUypsR5cZe8.bat

MD5 f0ee2b391eae0e0620f7a0f2dbedddce
SHA1 d4a40d655b5fa9f80a61dd09f9d99c39c1ab5785
SHA256 394d8fad0a6ac74e8cf73cea2f667910fb654a9996c80ad729560b22839c93f0
SHA512 73484ea613cf8cd9787a018aa6173565075ca0bc16d7ba56ed1448a4df27aee297fdf57bd5f9b7fd8c1ceb85ecf3e15043f54620969abc5646096f82aa906795

memory/340-91-0x00000000011B0000-0x00000000014D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\T4RnteHx2LUO.bat

MD5 c85d83fa92faf8eb694431434d33f8d4
SHA1 15743690e3fdf143e33a2afc5aa20ea5aee13d92
SHA256 f5ff779bd4eb9fe6b6313fa68d8b034e53f075231409541122d765548612c221
SHA512 8c56b9b51cabacaad6e340b1e4e7f53562c84054fd444927e88856e61b7c7f243e85d75256d2f7bd43eb79c67a07b460fcbaebd29a6b7d0a8762f6f7ae6eeead

C:\Users\Admin\AppData\Local\Temp\ufVoy4qTmJBg.bat

MD5 e82c82d014db1cae3e5ea8e8883038f5
SHA1 ff72b1f95932c4bebaef8b58ec28d3172fe2d3db
SHA256 21a7d1afc096d20036554e927a653822d6fd6d4e12db6260ff7e0a8465eaa11a
SHA512 963b69c5c0737f7ed6e935eed596e80005f45ce3eca37890b6ae7981b9b8e44b05c2016c6a5988ba790ce709cfeb2e5c95123fc77b1d3e27ed7f1df0c6a91845

C:\Users\Admin\AppData\Local\Temp\6wxKarHO4iDi.bat

MD5 007aece500a3802fa3461e0a7d217e49
SHA1 d6d96d15679932570ee589607807e7b7c86a9138
SHA256 f6034f9dd5b936c9c62a66073ed0bcb9394bae3dd9f0b0eed64f5e3e42f6e9cb
SHA512 4c69f1b067db5b7048e3b6e63997218834b9df722b42de925b6be6c53753721f793346779aa32076ad00b31374d2f8d51d8008f9bd81766c86418ab905fa0b32

C:\Users\Admin\AppData\Local\Temp\XVn1Wk0PyNtH.bat

MD5 cb8edf2378050ab1cc2dd5fbe014e9f3
SHA1 b65c3e91bb146ea69e25dcdae3ff42958bf4b0be
SHA256 c3bea631b92b3854ec53850d77964af26befaa6839f71221f7ecbeab0c357b06
SHA512 fb88c19b06b180799e990e3b862a7601b9cc2c8aa142b76a369b8ab2f101f597b28c1956d68ffad21ea9dc5b8c4ad6614ce235c6cc04169e8435e4dc2b8c305f

memory/1632-134-0x00000000000A0000-0x00000000003C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\z0fvVgTurJIq.bat

MD5 8665de82fa2addcebe13a8cf19f4bd6d
SHA1 14d247f8486d45925fabc9d83e1f7aec49905ea2
SHA256 d2e063ec33888db0afb1e5fa2b05e18592e47a8958bdfeeed9cff3304c17305f
SHA512 4c30a1f4c701e2f1c94feabbf73d6854c316e6c7f3dc19f06c55c93226af7e3bceb8175f1a10284d2cc763e6495cac5cbb2e6e77a14114595119d63b5752939d

memory/2064-146-0x0000000001220000-0x0000000001544000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MhLSwW5PbTD8.bat

MD5 a2a8dfbfe593f8740fbbaa5a7b4f3993
SHA1 a69675e7f25a416ec7cb28ff8b6e8491b60575ca
SHA256 348b52fdd349748c3ac31832dfe0d446dbba1e8f585b759096b32abbe076db03
SHA512 8b851a1f367d93bb386f3d7c861fa26396e2fd9664d55211556374cb1f7d34064f94d56e9b0815c9f577771c40ad6d8c10c5ba1f179192ca7168042f8d3bf06c

C:\Users\Admin\AppData\Local\Temp\XC5vi1IMF8Fy.bat

MD5 5f68362e375bd080ea500a5cdfb1699b
SHA1 f68650ea2a35e53cff02d544315f9c6f2af6b849
SHA256 443db0cd5795d9ac2e553499003ae813961cc57ab4e22ee6ea41d0345d17b20c
SHA512 f5f585560e0e34020cd9ce4fb0628c918389bb54461b3599b57801b95e077072d5bc05f831c328017e3f84b7a365a7c64730661f9e8ba6ab0b143e7dc4fc0ff6

C:\Users\Admin\AppData\Local\Temp\HV4X7nAPaktd.bat

MD5 2b0ea848d60689f71e36de6acb56c4e9
SHA1 ba83f8f1ea87add2b1f47cd5fb3332a6e73c9b52
SHA256 dd252e892706c39dd87ada2598677e7078e6b45ebf41ddf3c5a0a27532d1cce0
SHA512 5d104c428d428375361204c2cfde6409eeb908dbfc83afb06a6f121d5bfe231a4f8eafd92066180947ab943595e953923822f3e1422dac45eb89d5d51d2806c0

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-04 01:24

Reported

2024-08-04 01:26

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe N/A
File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 688 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\SYSTEM32\schtasks.exe
PID 688 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\SYSTEM32\schtasks.exe
PID 688 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 688 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 4540 wrote to memory of 2572 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4540 wrote to memory of 2572 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4540 wrote to memory of 4764 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 4540 wrote to memory of 4764 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 4764 wrote to memory of 4760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4764 wrote to memory of 4760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4764 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4764 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4764 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 4764 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1260 wrote to memory of 4608 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1260 wrote to memory of 4608 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1260 wrote to memory of 2836 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1260 wrote to memory of 2836 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2836 wrote to memory of 492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2836 wrote to memory of 492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2836 wrote to memory of 3460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2836 wrote to memory of 3460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2836 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2836 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2724 wrote to memory of 3948 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2724 wrote to memory of 3948 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2724 wrote to memory of 572 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2724 wrote to memory of 572 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 572 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 572 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 572 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 572 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 572 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 572 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3876 wrote to memory of 2264 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3876 wrote to memory of 2264 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3876 wrote to memory of 3892 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3876 wrote to memory of 3892 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3892 wrote to memory of 4012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3892 wrote to memory of 4012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3892 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3892 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3892 wrote to memory of 496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3892 wrote to memory of 496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 496 wrote to memory of 4416 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 496 wrote to memory of 4416 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 496 wrote to memory of 2236 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 496 wrote to memory of 2236 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 1204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2236 wrote to memory of 1204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2236 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2236 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2236 wrote to memory of 4144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2236 wrote to memory of 4144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 4144 wrote to memory of 4816 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4144 wrote to memory of 4816 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4144 wrote to memory of 3900 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 4144 wrote to memory of 3900 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3900 wrote to memory of 4964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3900 wrote to memory of 4964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3900 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3900 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3900 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3900 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe

"C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEiMixRgKeO7.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XpLHk3Hs7XBf.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCHBOAdpeJ8p.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkOzK3FNaL4n.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSM2RpwG6zqP.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kthY9GZZm3ST.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k0aumOzGJsyg.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZItkk5tp8pos.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rd9vnoVRQ0f3.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JPyMkjlwUBG2.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uv5BxCS2lg1P.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11nIkY2H48r8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VLKi7rizViNE.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vzfUcSVf3UPK.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D6Nkl14ERROP.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp

Files

memory/688-0-0x00007FF8B9073000-0x00007FF8B9075000-memory.dmp

memory/688-1-0x0000000000D80000-0x00000000010A4000-memory.dmp

memory/688-2-0x00007FF8B9070000-0x00007FF8B9B31000-memory.dmp

C:\Windows\System32\SubDir\SolaraExecutor.exe

MD5 3cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1 e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA256 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA512 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

memory/688-8-0x00007FF8B9070000-0x00007FF8B9B31000-memory.dmp

memory/4540-9-0x00007FF8B9070000-0x00007FF8B9B31000-memory.dmp

memory/4540-10-0x00007FF8B9070000-0x00007FF8B9B31000-memory.dmp

memory/4540-11-0x000000001DF30000-0x000000001DF80000-memory.dmp

memory/4540-12-0x000000001E040000-0x000000001E0F2000-memory.dmp

memory/4540-17-0x00007FF8B9070000-0x00007FF8B9B31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XEiMixRgKeO7.bat

MD5 6bf0858535d56f2819a0f44ee05230bb
SHA1 8fea9629e64221743d4a2f2c7bc6de37e212a991
SHA256 db5392aebdae516481aef0772119dd53449c3d25c88aa2c7d16416bb7b475067
SHA512 b386b2e6e793431e2e98963c9b93800d780f4775ef2b3ba224fa3a48656ef5824a65a94f7b12c311a97c36c1f45f04555ab1e4c150037d533322640154d65240

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraExecutor.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Users\Admin\AppData\Local\Temp\XpLHk3Hs7XBf.bat

MD5 3b71f11952579b56a9f26b1f827a8e66
SHA1 b70617f3452056cc67d17f1225ed286d5f84d1f0
SHA256 7dd256daac279e02bb906b5c21536244df1a4cbf162d2c9e61c089634c36a998
SHA512 3a49ddc591b93e5196790c24e51b0abfc9b1ccf4b705222d722c95eebf9bc9448a9939e2025cecf5da76dd72dd9173c66c22c7dfa6cdfada433ab716de17ec74

C:\Users\Admin\AppData\Local\Temp\hCHBOAdpeJ8p.bat

MD5 c0d2a4ea1af7ce956918fc60c16f21e5
SHA1 e4cf43c0dd7b38cacb882b1b5af58df19db03659
SHA256 0501af29d41773ca7e40989086b119645929637657fcb215ba2e1b3e441716f6
SHA512 115eb761f632b2e7ecf9047f53006ed04c1c6a0cedbc066f4f2665f95899521764454657fd2f86cecbe57b431859b86a8fe6e80794f4377f57fa6462a40d2bb8

C:\Users\Admin\AppData\Local\Temp\hkOzK3FNaL4n.bat

MD5 b20d6c9ba0f8515fd11a40e7934d6c71
SHA1 b234088f05a36df05533ab6c7118e64cf97a27e4
SHA256 f914611f571d63b90d8f01089c423a2ef9a6428d3f8007ca4f035ba15326f2ff
SHA512 7c356438dd1088d9424f33bd1ab1908a0feeddc970439f081ca78e7700e99f2fe324639bf2478d954efd95e9f602fa618d1c4b4962827ac74c3da42db9f1417e

C:\Users\Admin\AppData\Local\Temp\iSM2RpwG6zqP.bat

MD5 4b59ab7474b334e9b5aed7ccc8657f17
SHA1 d4250e7e09908130b974917623628175d20584a4
SHA256 c576f58864fa1370391c7f6ec9f5df81f370c0b6258f00f942ebca051ba5ccb3
SHA512 4e5198f98c4c1f21939e29b71402762bdd105e8e765ac76f9e2a7f1303580f4cca4714cc9b8ea1e7a0c1f85e4b14032528d68ecc04a5f6148605d1d3568e9a82

C:\Users\Admin\AppData\Local\Temp\kthY9GZZm3ST.bat

MD5 846752e5aed00b8b9c78bb32f8f3147d
SHA1 567c6f30bbe5ea74e349d025fabe35c128d73a88
SHA256 2fc56b3b0d23a18fbf4726aa4098ead2a8115f720e54dc52bc5ae4cfe334be85
SHA512 d9b32fd7184d869429f7b23567b8676e100c14ec4b5ef6f1f61bf1b5824da202730cdaf70fd8bb7210223f82d77b8aaa7e962b939b6074b612e9214f195895af

C:\Users\Admin\AppData\Local\Temp\k0aumOzGJsyg.bat

MD5 cde1253873cf461daf76480611ea07a7
SHA1 e31aee396d57b6311b81eff7b6b498f91f63da84
SHA256 d2e6d64720b9045858f090a21f984aad25baefc06a4ed1677224f02fd9deb1b5
SHA512 9e22650adc068cf092ed949680391578243274815e8f192b80cb05a46f0cb18b82526b574fd7ced9b0ff186f8c1dbb205de46245a73e9f60e49d8e7d52a2f809

C:\Users\Admin\AppData\Local\Temp\ZItkk5tp8pos.bat

MD5 de9d9500f42a85e22f61f9c07afc9832
SHA1 a00e0fd17b5e3cc5e40774846c2eee6e221998c3
SHA256 b1e26154369bcd2d7c2ffba531df1fec9b9b6441c2b2b14eff84bcb4da067ce1
SHA512 2f826500fd10a4c57118f95eb2e62c0707aac80609dd4b7c471d827d860275dc80627fb701d524dc48aba07fc3939914e0d3281894f0df3315fb80b08f4680c4

C:\Users\Admin\AppData\Local\Temp\Rd9vnoVRQ0f3.bat

MD5 f0a09af6ca076e5e37836617792cc796
SHA1 eafe86de9e2be233fd453f8b888ea148a306ec13
SHA256 496e5f2f4b7d6b452be18caefc7e13c25884329187dfe3046b3773c32eb02c22
SHA512 3a242f27a94f6a66065ed5819be3efa32f95c55c531c142f4ad758d54cde000035de3536b525032a7beece69bb40a599df5d966d5dbb204de67c1d4f44e1de77

C:\Users\Admin\AppData\Local\Temp\JPyMkjlwUBG2.bat

MD5 5bcb25f5bede1e6184ad61d0830f68b6
SHA1 3c4631c4b676fdefcb65fbda105c746e2da9d582
SHA256 19218a4ea6235183801c0dacefc484d05f1ab28bd83d6cf92e87fe1874b1bb73
SHA512 844820830fbaca4a285e796f36157f4530d8ed1d70e21a301a1d39ef706eb946e8c6558c1048542f79b51e4df6b25a9df9c74cac7cf9d3a6d228619d25d33d9a

C:\Users\Admin\AppData\Local\Temp\Uv5BxCS2lg1P.bat

MD5 e20ebba8fd437d264f67f69c6e9848fd
SHA1 3fafec2ce87b05f07081264b55c0856247184104
SHA256 d24ccdaf66395e37c21df5760c0a0c676e43da2750e6cb3fb857a10955007b62
SHA512 90e7bfab85dff2899f29a7c5ca1706f282538fb3ac0d6af27e69b25f020ec540391619cb3d63de2433fc6b0c3b96a0af6778d624a2f0d6f0bff2746e7d222577

C:\Users\Admin\AppData\Local\Temp\11nIkY2H48r8.bat

MD5 4be3c3830fafdd9e59739a963f01e732
SHA1 2ebb309fba805acffc04c39e3348f86357d73197
SHA256 014b3a0e614cb8f84e7c10694d5ffd34f1c6fbac48e3a0f62cd62bfe334c1d5b
SHA512 aa1179d5d1935cfd41d6b8c6cbbaf5079d3dacb86316f88c1ef20e2092d265396ae5060f46f95b68813b10fe2757c25975227a0c38e3d5a0b240bd2e04a2c8f9

C:\Users\Admin\AppData\Local\Temp\VLKi7rizViNE.bat

MD5 dff6999fdddb4a56a64d75018d53ce16
SHA1 41f00a0119ed620c7194ebc697f744b2b7524c7b
SHA256 66659e7e9ee01488e5b021fdb5aad2f4478a4dee1fc26816d93c8d0ad557d279
SHA512 ff50a577cf3744ded1b43f6d9792cfec7dde9da2ff2b4e231d36f42c603ba9c378bdd25a0c661147ce1749602054ba20d29c81e1a339592d155b7414e10abc11

C:\Users\Admin\AppData\Local\Temp\vzfUcSVf3UPK.bat

MD5 57a4750864386885c761299f305886be
SHA1 41bf58dcbfe011b3ba9952bee5ee0980c4e2d7f0
SHA256 20596e82147ba33182ae5f0b3d461e4236c103fc7bd99fc21db3760d4b15d247
SHA512 0c35fce3f7e6e96e416da3f555b62c354493d03efc7b196b8e4572855aab8a52e66a6b492b214a2ac5e4f6a8c8b09c3d67b2391fec98f0116dfcec030aee6443

C:\Users\Admin\AppData\Local\Temp\D6Nkl14ERROP.bat

MD5 859d1460ab539a4b17cd9a26980b1d1f
SHA1 7ea6cd43a918bc0fb8cf4d951cde704d7e4791ab
SHA256 36a3c002c15862618e614f56c3e8c6981197ff2b28cc2314378b1f38b9fe0805
SHA512 edb7b2bf4df03237d308a70fe3f1be02c6c3f364286ba3e6a6262f529095dfd0adeb820c5ecf337be7b9a715a8ded4839b9d02a10a07293e22463c349727ad99