Analysis

  • max time kernel
    145s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2024 01:22

General

  • Target

    6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe

  • Size

    3.1MB

  • MD5

    3cf4f19b7c69135acb3c4c9bb9cdfb90

  • SHA1

    e2b5a40dd2abfa03671fde7c4e74f9b2846f989f

  • SHA256

    6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf

  • SHA512

    4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

  • SSDEEP

    49152:DvehBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaxAtueYFoGdXTHHB72eh2NT:DvAt2d5aKCuVPzlEmVQ0wvwf+tuee

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

nohchy-47404.portmap.host:47404

Mutex

1a1e174b-dbf8-49ad-9b43-2cfbb233a6d9

Attributes
  • encryption_key

    795CDD46D2CDD422BE523F263B64E03D8B6AAD42

  • install_name

    SolaraExecutor.exe

  • log_directory

    Logs

  • reconnect_delay

    2000

  • startup_key

    RtkAudUService64

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 14 IoCs
  • Executes dropped EXE 15 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe
    "C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2940
    • C:\Windows\system32\SubDir\SolaraExecutor.exe
      "C:\Windows\system32\SubDir\SolaraExecutor.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1152
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\L7sBEjbHQdxN.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2812
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2748
          • C:\Windows\system32\SubDir\SolaraExecutor.exe
            "C:\Windows\system32\SubDir\SolaraExecutor.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2688
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2580
            • C:\Windows\system32\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\d9hsAOnd4HyZ.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2184
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:1716
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1500
                • C:\Windows\system32\SubDir\SolaraExecutor.exe
                  "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:2852
                  • C:\Windows\system32\schtasks.exe
                    "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2584
                  • C:\Windows\system32\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\UDToL1N0H78L.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2844
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:1080
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:1044
                      • C:\Windows\system32\SubDir\SolaraExecutor.exe
                        "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:1656
                        • C:\Windows\system32\schtasks.exe
                          "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:2352
                        • C:\Windows\system32\cmd.exe
                          cmd /c ""C:\Users\Admin\AppData\Local\Temp\0ygmK23w7iA9.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2504
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:880
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:1876
                            • C:\Windows\system32\SubDir\SolaraExecutor.exe
                              "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              PID:2348
                              • C:\Windows\system32\schtasks.exe
                                "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:2416
                              • C:\Windows\system32\cmd.exe
                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\3TguxC4Ul1Wk.bat" "
                                11⤵
                                  PID:608
                                  • C:\Windows\system32\chcp.com
                                    chcp 65001
                                    12⤵
                                      PID:1304
                                    • C:\Windows\system32\PING.EXE
                                      ping -n 10 localhost
                                      12⤵
                                      • System Network Configuration Discovery: Internet Connection Discovery
                                      • Runs ping.exe
                                      PID:2200
                                    • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                      "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of FindShellTrayWindow
                                      • Suspicious use of SendNotifyMessage
                                      PID:1956
                                      • C:\Windows\system32\schtasks.exe
                                        "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                        13⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2860
                                      • C:\Windows\system32\cmd.exe
                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\2Ku9NUao0RCr.bat" "
                                        13⤵
                                          PID:2488
                                          • C:\Windows\system32\chcp.com
                                            chcp 65001
                                            14⤵
                                              PID:1392
                                            • C:\Windows\system32\PING.EXE
                                              ping -n 10 localhost
                                              14⤵
                                              • System Network Configuration Discovery: Internet Connection Discovery
                                              • Runs ping.exe
                                              PID:988
                                            • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                              "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              PID:1580
                                              • C:\Windows\system32\schtasks.exe
                                                "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                15⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2316
                                              • C:\Windows\system32\cmd.exe
                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\Li0JO1LK19fK.bat" "
                                                15⤵
                                                  PID:2956
                                                  • C:\Windows\system32\chcp.com
                                                    chcp 65001
                                                    16⤵
                                                      PID:1648
                                                    • C:\Windows\system32\PING.EXE
                                                      ping -n 10 localhost
                                                      16⤵
                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                      • Runs ping.exe
                                                      PID:2016
                                                    • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                      "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of FindShellTrayWindow
                                                      • Suspicious use of SendNotifyMessage
                                                      PID:1152
                                                      • C:\Windows\system32\schtasks.exe
                                                        "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                        17⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2648
                                                      • C:\Windows\system32\cmd.exe
                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3uTqsouO5Mmx.bat" "
                                                        17⤵
                                                          PID:2548
                                                          • C:\Windows\system32\chcp.com
                                                            chcp 65001
                                                            18⤵
                                                              PID:2864
                                                            • C:\Windows\system32\PING.EXE
                                                              ping -n 10 localhost
                                                              18⤵
                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                              • Runs ping.exe
                                                              PID:3016
                                                            • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                              "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • Suspicious use of FindShellTrayWindow
                                                              • Suspicious use of SendNotifyMessage
                                                              PID:2644
                                                              • C:\Windows\system32\schtasks.exe
                                                                "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                19⤵
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:500
                                                              • C:\Windows\system32\cmd.exe
                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\2lhNmCNHvCa4.bat" "
                                                                19⤵
                                                                  PID:1740
                                                                  • C:\Windows\system32\chcp.com
                                                                    chcp 65001
                                                                    20⤵
                                                                      PID:1476
                                                                    • C:\Windows\system32\PING.EXE
                                                                      ping -n 10 localhost
                                                                      20⤵
                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                      • Runs ping.exe
                                                                      PID:2360
                                                                    • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                      "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • Suspicious use of FindShellTrayWindow
                                                                      • Suspicious use of SendNotifyMessage
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:948
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                        21⤵
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:2992
                                                                      • C:\Windows\system32\cmd.exe
                                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Z019MF8Sq4xM.bat" "
                                                                        21⤵
                                                                          PID:328
                                                                          • C:\Windows\system32\chcp.com
                                                                            chcp 65001
                                                                            22⤵
                                                                              PID:2844
                                                                            • C:\Windows\system32\PING.EXE
                                                                              ping -n 10 localhost
                                                                              22⤵
                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                              • Runs ping.exe
                                                                              PID:2408
                                                                            • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                              "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • Suspicious use of FindShellTrayWindow
                                                                              • Suspicious use of SendNotifyMessage
                                                                              PID:1116
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                23⤵
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:1328
                                                                              • C:\Windows\system32\cmd.exe
                                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\eEAn0qcaD6Aq.bat" "
                                                                                23⤵
                                                                                  PID:1496
                                                                                  • C:\Windows\system32\chcp.com
                                                                                    chcp 65001
                                                                                    24⤵
                                                                                      PID:1132
                                                                                    • C:\Windows\system32\PING.EXE
                                                                                      ping -n 10 localhost
                                                                                      24⤵
                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                      • Runs ping.exe
                                                                                      PID:2948
                                                                                    • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                      "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                      • Suspicious use of SendNotifyMessage
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:792
                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                        "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                        25⤵
                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                        PID:3032
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\KDOf3zF5H1Wg.bat" "
                                                                                        25⤵
                                                                                          PID:2200
                                                                                          • C:\Windows\system32\chcp.com
                                                                                            chcp 65001
                                                                                            26⤵
                                                                                              PID:2392
                                                                                            • C:\Windows\system32\PING.EXE
                                                                                              ping -n 10 localhost
                                                                                              26⤵
                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                              • Runs ping.exe
                                                                                              PID:2440
                                                                                            • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                              "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                              26⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                              • Suspicious use of SendNotifyMessage
                                                                                              PID:1920
                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                                27⤵
                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                PID:2364
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\5zDbpDGkiedn.bat" "
                                                                                                27⤵
                                                                                                  PID:876
                                                                                                  • C:\Windows\system32\chcp.com
                                                                                                    chcp 65001
                                                                                                    28⤵
                                                                                                      PID:1788
                                                                                                    • C:\Windows\system32\PING.EXE
                                                                                                      ping -n 10 localhost
                                                                                                      28⤵
                                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                      • Runs ping.exe
                                                                                                      PID:1712
                                                                                                    • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                                      "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                                      28⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                                      • Suspicious use of SendNotifyMessage
                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                      PID:1944
                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                        "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                                        29⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:3064
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\DD5qZdC2v0he.bat" "
                                                                                                        29⤵
                                                                                                          PID:2228
                                                                                                          • C:\Windows\system32\chcp.com
                                                                                                            chcp 65001
                                                                                                            30⤵
                                                                                                              PID:2196
                                                                                                            • C:\Windows\system32\PING.EXE
                                                                                                              ping -n 10 localhost
                                                                                                              30⤵
                                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                              • Runs ping.exe
                                                                                                              PID:1456
                                                                                                            • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                                              "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                                              30⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                              PID:2884
                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                                                31⤵
                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                PID:2740
                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\nwBAUhCBqxYP.bat" "
                                                                                                                31⤵
                                                                                                                  PID:2896
                                                                                                                  • C:\Windows\system32\chcp.com
                                                                                                                    chcp 65001
                                                                                                                    32⤵
                                                                                                                      PID:2656
                                                                                                                    • C:\Windows\system32\PING.EXE
                                                                                                                      ping -n 10 localhost
                                                                                                                      32⤵
                                                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                      • Runs ping.exe
                                                                                                                      PID:1628

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Users\Admin\AppData\Local\Temp\0ygmK23w7iA9.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        2910f681fd312bc4c1f340fa1ba9d939

                                                        SHA1

                                                        a0cd81040e4ee72dfb373bc28a8d30e189db7ab4

                                                        SHA256

                                                        36dbeb626bcb2a73fd119cc660df804f291afa4095c047223848b23aaa872a59

                                                        SHA512

                                                        45c9387dc8b34d042e65ca9cf994982edfa8cd0e33eae95e23520a248c70eec7cd96150ee214372d594e5ec4db4f51edf2d83b4fec805c933ccf74c1fc844d91

                                                      • C:\Users\Admin\AppData\Local\Temp\2Ku9NUao0RCr.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        55b53992d2888712b8145e27b10a97e1

                                                        SHA1

                                                        00affca3f39529319666371369d648ef64f72c1a

                                                        SHA256

                                                        ce9fb051707888c7119c2eb30accd4f3445b3535639776884c22d52b322920d7

                                                        SHA512

                                                        ac9ff08632d54986c3e11e8d023c48e461d62b4c49319110f408b7c0371b821e1069ab325901078be23cd5eb1828daebb6366d8545f3c5930fb82193e99ebb2c

                                                      • C:\Users\Admin\AppData\Local\Temp\2lhNmCNHvCa4.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        e798cdd9b01b5b6661ef9395c3c8d5a7

                                                        SHA1

                                                        10cba84d01ba0ecd234229efa8fb15fc813e8030

                                                        SHA256

                                                        5ec221ea7fdcbd59cc42ea8b67a95220764c993850bad68d59860cb7fd0130f0

                                                        SHA512

                                                        f3c542fe746889a84e88fa731232d0bce0146504da2f655bb546b57166f7eeefb904a4cd29d85bf376663da1204e6df127233d1f979297f48ed9d01400226eb0

                                                      • C:\Users\Admin\AppData\Local\Temp\3TguxC4Ul1Wk.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        23af2385aa23cdac85077c257c8a0cb6

                                                        SHA1

                                                        8ecaf8d174649fbbf2f708261980f8f64deace6f

                                                        SHA256

                                                        a669ed36f2bf733f3ecd1b5c093b5e867c6cb302a48b6670b2007b4179f0a749

                                                        SHA512

                                                        6382fcc0de552e2fc8d20d89f0e6ff1f97483f5dd54df9e3ab1f91766c60d81787459af76d2453c552118c19de7816dc27eaa417851e33cf31f156fef33d0806

                                                      • C:\Users\Admin\AppData\Local\Temp\3uTqsouO5Mmx.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        f40bb1a30cf1b526f040f5944b87d544

                                                        SHA1

                                                        312247b9771a11bd1410319eb22d3a9cf15e6b80

                                                        SHA256

                                                        488a9f6d852061798a85092e5331711c300d60912ef2579939198a3649780731

                                                        SHA512

                                                        a9412d44865ec3c54f816a87f5b0f14f3350959f74278f70f38bbb79cf0e981cb84bfec91b1d0525f6119b12909382655d1affff6e91123f2181a8547746e675

                                                      • C:\Users\Admin\AppData\Local\Temp\5zDbpDGkiedn.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        61a3ef50a55be54bbb71be14037941ad

                                                        SHA1

                                                        9bd2c451b466db9382cb91c9183786ca6312bfb9

                                                        SHA256

                                                        98533b2b338db80c96e2405a283d5b02a621c962f3a698677b8433eb7249eb4a

                                                        SHA512

                                                        1445fe697d5bc5f074b6194b5de21b710b05a347a60a619c75eecf8cfd613088168acdda77dcbd598660907ea023077ce24b0fbb0e8c5874c5a549a0c7169946

                                                      • C:\Users\Admin\AppData\Local\Temp\DD5qZdC2v0he.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        da9c1996b70db0228d90a2ce3d3cc341

                                                        SHA1

                                                        9112f3d4cc458483e50c1d6495b3e0a78f7ce250

                                                        SHA256

                                                        6bc8a6709e0d94e540235f834b1f838a31218076c802865050b50d2d833ebdb6

                                                        SHA512

                                                        426d03f3256600777acf7f3f1c3587cb5b597af42e665f59924da5819ccf3637ad487442c2f6207aaad0c8233859ded30731f650d67b9829a05764de7d4b6e78

                                                      • C:\Users\Admin\AppData\Local\Temp\KDOf3zF5H1Wg.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        40393af952536ef306d6c0cd07c78cb3

                                                        SHA1

                                                        c055b267c6b184114f622c8a1f1c7f66d856051a

                                                        SHA256

                                                        f5faae36cc1057e04f1f38c93dcddaa99e6faeeb7903b343e17beaa98445d19d

                                                        SHA512

                                                        ce1f61f222a5d4ad66656606f44a40f52bc61c6d423bcb38c6be3e0de1a27703fb1c783776aeba1bd551fcf221d96f949332d57c9b1f9e9950d49f4accc7a29e

                                                      • C:\Users\Admin\AppData\Local\Temp\L7sBEjbHQdxN.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        feca430d7239917c3a250ead322ef646

                                                        SHA1

                                                        200a75d043ca2a26de3683e2e7cbad601f700d2b

                                                        SHA256

                                                        ca4d0ce614b201c2e9a23d041e57a3075d96359c2729384090b9ca1ef7304b85

                                                        SHA512

                                                        96ff23169cc7552d437e95181c81c0c3896838d64da5a8fabba3ae7cfa6c2c349c3814c727cb980999deece7aa1637bd182d7f18a4a47ca105fbf3552174854c

                                                      • C:\Users\Admin\AppData\Local\Temp\Li0JO1LK19fK.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        3015a387064a6d27cbec6b91abe71400

                                                        SHA1

                                                        ac91d1b9d5cf2594850dba04194075b1ef78941e

                                                        SHA256

                                                        c0870fdaeca46b93ae8c87b75c83ccfbe88b40a9224624a75b268b8cb849949c

                                                        SHA512

                                                        b12472ebcab69b74890ecef8628d4f77957f68127097e24fda1375ae671aac1a1055f1114ebcfedbc40399a223f2261be9ca6df674be4d8c65adceaeded81e49

                                                      • C:\Users\Admin\AppData\Local\Temp\UDToL1N0H78L.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        c31761c97ab416bd13307fb85c968c6f

                                                        SHA1

                                                        a866e13196002b237104a10532657374d25787bc

                                                        SHA256

                                                        0b2cf460b38f057a206d2ffb0af27a967c7460211e1d782e4bbf1127e02356b9

                                                        SHA512

                                                        6414333d6011d52b7d94fc5e3dacb994b4b30d18c52041c3421b02ed5e658242f2865731bcbfab742c47d4c3d53fa26ca555130ec4153d2ff568178796d807d1

                                                      • C:\Users\Admin\AppData\Local\Temp\Z019MF8Sq4xM.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        c5b5aff27893b3c59e91fe53fd2d85b3

                                                        SHA1

                                                        475e4643f4b245f6a99a502b3f9bfa2fd26a3e10

                                                        SHA256

                                                        76241c77e3244001109a2de1a0a716314bf8a4feb039799e40c1b9183780976d

                                                        SHA512

                                                        ddbd3f2a191f58d57a3cb5fb088c7ff608caa22e900c9f28e2c7c489a6930a6c979394f03787fb799d0dc9ebd36f447b1604fc7d69287883bb57229cac01d69e

                                                      • C:\Users\Admin\AppData\Local\Temp\d9hsAOnd4HyZ.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        f0274196c3a44503b95f41f1ac1f208f

                                                        SHA1

                                                        cb9ddcf0d846d4a0a19e8df04be4eb3fdcf7589f

                                                        SHA256

                                                        3103b81aa120c2b04df7f9183614caa8dd9bde36a53dd6ff05d796faa171cea1

                                                        SHA512

                                                        82d100dc28abc9b6856be7c3cc33ee35da539fe32330921a2aadd23a789256db8983555d754ad9fa92279ccab72b98ed56962adcad33fa89c5d5880d7cb74fa4

                                                      • C:\Users\Admin\AppData\Local\Temp\eEAn0qcaD6Aq.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        d4bc36b5dab9beca2ead75e55cdcb568

                                                        SHA1

                                                        4f48bec8f6d0a9e50f8863cdcbb8ea594eff1eda

                                                        SHA256

                                                        861b0259a45455737e263cb115fcbc79a5668862d3f153e4ac02bb57582e84b1

                                                        SHA512

                                                        eb6186664beabf8a18708a14e301bd3fb3affafb88abdb01cc969992bb47bc9ed09faf2303eb658fd3229a0ba47998aa7e2fbf993b646b90bded37c0aea07218

                                                      • C:\Users\Admin\AppData\Local\Temp\nwBAUhCBqxYP.bat

                                                        Filesize

                                                        204B

                                                        MD5

                                                        fbec21052fda9416016a3d874523135e

                                                        SHA1

                                                        1a1fffc73247bd90bed690a0b04c94a9cbc0225d

                                                        SHA256

                                                        c9379c25e78ab8548c8fdc146d70cbca15f783bbf208a20712e85fc41564dc39

                                                        SHA512

                                                        ad9d7a89d8c84b43b24f9e0a7b70950cd76f0554dc402e820032943ae40998aeb0efbf7a59baddc04604f76db8800c6ca3953651cc21e25c3eeb904d7c759e44

                                                      • C:\Windows\System32\SubDir\SolaraExecutor.exe

                                                        Filesize

                                                        3.1MB

                                                        MD5

                                                        3cf4f19b7c69135acb3c4c9bb9cdfb90

                                                        SHA1

                                                        e2b5a40dd2abfa03671fde7c4e74f9b2846f989f

                                                        SHA256

                                                        6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf

                                                        SHA512

                                                        4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

                                                      • \??\PIPE\srvsvc

                                                        MD5

                                                        d41d8cd98f00b204e9800998ecf8427e

                                                        SHA1

                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                        SHA256

                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                        SHA512

                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                      • memory/948-110-0x0000000000350000-0x0000000000674000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/1116-122-0x0000000001160000-0x0000000001484000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/1656-45-0x00000000010D0000-0x00000000013F4000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/1920-145-0x00000000003F0000-0x0000000000714000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/1944-156-0x0000000000D60000-0x0000000001084000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/1956-67-0x0000000000F90000-0x00000000012B4000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2152-8-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2152-19-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2152-10-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2152-9-0x0000000000A00000-0x0000000000D24000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2348-56-0x0000000000300000-0x0000000000624000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2460-7-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2460-0-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/2460-2-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

                                                        Filesize

                                                        9.9MB

                                                      • memory/2460-1-0x0000000000F10000-0x0000000001234000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2644-99-0x00000000012C0000-0x00000000015E4000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2688-22-0x0000000000240000-0x0000000000564000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2852-33-0x0000000000170000-0x0000000000494000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                      • memory/2884-168-0x0000000001370000-0x0000000001694000-memory.dmp

                                                        Filesize

                                                        3.1MB