Malware Analysis Report

2024-10-23 21:24

Sample ID 240805-brcx6swglh
Target 3cf4f19b7c69135acb3c4c9bb9cdfb90.bin
SHA256 15a29041d43b33af3f35611c8c8d2d398f864b671bf9235afdef9751e0815b7a
Tags
office04 quasar discovery spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15a29041d43b33af3f35611c8c8d2d398f864b671bf9235afdef9751e0815b7a

Threat Level: Known bad

The file 3cf4f19b7c69135acb3c4c9bb9cdfb90.bin was found to be: Known bad.

Malicious Activity Summary

office04 quasar discovery spyware trojan

Quasar payload

Quasar RAT

Quasar family

Executes dropped EXE

Checks computer location settings

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-05 01:22

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:24

Platform

win7-20240705-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe N/A
File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
N/A N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
N/A N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2460 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\system32\schtasks.exe
PID 2460 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\system32\schtasks.exe
PID 2460 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\system32\schtasks.exe
PID 2460 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2460 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2460 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2152 wrote to memory of 1152 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2152 wrote to memory of 1152 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2152 wrote to memory of 1152 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2152 wrote to memory of 2656 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2152 wrote to memory of 2656 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2152 wrote to memory of 2656 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2656 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2656 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2656 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2656 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2656 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2656 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2688 wrote to memory of 2580 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2688 wrote to memory of 2580 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2688 wrote to memory of 2580 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2688 wrote to memory of 2184 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2688 wrote to memory of 2184 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2688 wrote to memory of 2184 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2184 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2184 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2184 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2184 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2184 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2184 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2184 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2184 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2184 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2852 wrote to memory of 2584 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2852 wrote to memory of 2584 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2852 wrote to memory of 2584 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 2852 wrote to memory of 2844 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 2844 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 2844 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2844 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2844 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2844 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2844 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2844 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2844 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2844 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2844 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1656 wrote to memory of 2352 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1656 wrote to memory of 2352 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1656 wrote to memory of 2352 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\schtasks.exe
PID 1656 wrote to memory of 2504 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1656 wrote to memory of 2504 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1656 wrote to memory of 2504 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2504 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2504 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2504 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2504 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2504 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2504 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2504 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe

"C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\L7sBEjbHQdxN.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\d9hsAOnd4HyZ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\UDToL1N0H78L.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\0ygmK23w7iA9.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\3TguxC4Ul1Wk.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\2Ku9NUao0RCr.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Li0JO1LK19fK.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\3uTqsouO5Mmx.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\2lhNmCNHvCa4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\Z019MF8Sq4xM.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\eEAn0qcaD6Aq.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\KDOf3zF5H1Wg.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5zDbpDGkiedn.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DD5qZdC2v0he.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\nwBAUhCBqxYP.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 nohchy-47404.portmap.host udp

Files

memory/2460-0-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp

memory/2460-1-0x0000000000F10000-0x0000000001234000-memory.dmp

memory/2460-2-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

C:\Windows\System32\SubDir\SolaraExecutor.exe

MD5 3cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1 e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA256 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA512 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

memory/2460-7-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

memory/2152-9-0x0000000000A00000-0x0000000000D24000-memory.dmp

memory/2152-8-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

memory/2152-10-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\L7sBEjbHQdxN.bat

MD5 feca430d7239917c3a250ead322ef646
SHA1 200a75d043ca2a26de3683e2e7cbad601f700d2b
SHA256 ca4d0ce614b201c2e9a23d041e57a3075d96359c2729384090b9ca1ef7304b85
SHA512 96ff23169cc7552d437e95181c81c0c3896838d64da5a8fabba3ae7cfa6c2c349c3814c727cb980999deece7aa1637bd182d7f18a4a47ca105fbf3552174854c

memory/2152-19-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

memory/2688-22-0x0000000000240000-0x0000000000564000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d9hsAOnd4HyZ.bat

MD5 f0274196c3a44503b95f41f1ac1f208f
SHA1 cb9ddcf0d846d4a0a19e8df04be4eb3fdcf7589f
SHA256 3103b81aa120c2b04df7f9183614caa8dd9bde36a53dd6ff05d796faa171cea1
SHA512 82d100dc28abc9b6856be7c3cc33ee35da539fe32330921a2aadd23a789256db8983555d754ad9fa92279ccab72b98ed56962adcad33fa89c5d5880d7cb74fa4

memory/2852-33-0x0000000000170000-0x0000000000494000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\UDToL1N0H78L.bat

MD5 c31761c97ab416bd13307fb85c968c6f
SHA1 a866e13196002b237104a10532657374d25787bc
SHA256 0b2cf460b38f057a206d2ffb0af27a967c7460211e1d782e4bbf1127e02356b9
SHA512 6414333d6011d52b7d94fc5e3dacb994b4b30d18c52041c3421b02ed5e658242f2865731bcbfab742c47d4c3d53fa26ca555130ec4153d2ff568178796d807d1

memory/1656-45-0x00000000010D0000-0x00000000013F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0ygmK23w7iA9.bat

MD5 2910f681fd312bc4c1f340fa1ba9d939
SHA1 a0cd81040e4ee72dfb373bc28a8d30e189db7ab4
SHA256 36dbeb626bcb2a73fd119cc660df804f291afa4095c047223848b23aaa872a59
SHA512 45c9387dc8b34d042e65ca9cf994982edfa8cd0e33eae95e23520a248c70eec7cd96150ee214372d594e5ec4db4f51edf2d83b4fec805c933ccf74c1fc844d91

memory/2348-56-0x0000000000300000-0x0000000000624000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3TguxC4Ul1Wk.bat

MD5 23af2385aa23cdac85077c257c8a0cb6
SHA1 8ecaf8d174649fbbf2f708261980f8f64deace6f
SHA256 a669ed36f2bf733f3ecd1b5c093b5e867c6cb302a48b6670b2007b4179f0a749
SHA512 6382fcc0de552e2fc8d20d89f0e6ff1f97483f5dd54df9e3ab1f91766c60d81787459af76d2453c552118c19de7816dc27eaa417851e33cf31f156fef33d0806

memory/1956-67-0x0000000000F90000-0x00000000012B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2Ku9NUao0RCr.bat

MD5 55b53992d2888712b8145e27b10a97e1
SHA1 00affca3f39529319666371369d648ef64f72c1a
SHA256 ce9fb051707888c7119c2eb30accd4f3445b3535639776884c22d52b322920d7
SHA512 ac9ff08632d54986c3e11e8d023c48e461d62b4c49319110f408b7c0371b821e1069ab325901078be23cd5eb1828daebb6366d8545f3c5930fb82193e99ebb2c

C:\Users\Admin\AppData\Local\Temp\Li0JO1LK19fK.bat

MD5 3015a387064a6d27cbec6b91abe71400
SHA1 ac91d1b9d5cf2594850dba04194075b1ef78941e
SHA256 c0870fdaeca46b93ae8c87b75c83ccfbe88b40a9224624a75b268b8cb849949c
SHA512 b12472ebcab69b74890ecef8628d4f77957f68127097e24fda1375ae671aac1a1055f1114ebcfedbc40399a223f2261be9ca6df674be4d8c65adceaeded81e49

C:\Users\Admin\AppData\Local\Temp\3uTqsouO5Mmx.bat

MD5 f40bb1a30cf1b526f040f5944b87d544
SHA1 312247b9771a11bd1410319eb22d3a9cf15e6b80
SHA256 488a9f6d852061798a85092e5331711c300d60912ef2579939198a3649780731
SHA512 a9412d44865ec3c54f816a87f5b0f14f3350959f74278f70f38bbb79cf0e981cb84bfec91b1d0525f6119b12909382655d1affff6e91123f2181a8547746e675

memory/2644-99-0x00000000012C0000-0x00000000015E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2lhNmCNHvCa4.bat

MD5 e798cdd9b01b5b6661ef9395c3c8d5a7
SHA1 10cba84d01ba0ecd234229efa8fb15fc813e8030
SHA256 5ec221ea7fdcbd59cc42ea8b67a95220764c993850bad68d59860cb7fd0130f0
SHA512 f3c542fe746889a84e88fa731232d0bce0146504da2f655bb546b57166f7eeefb904a4cd29d85bf376663da1204e6df127233d1f979297f48ed9d01400226eb0

memory/948-110-0x0000000000350000-0x0000000000674000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Z019MF8Sq4xM.bat

MD5 c5b5aff27893b3c59e91fe53fd2d85b3
SHA1 475e4643f4b245f6a99a502b3f9bfa2fd26a3e10
SHA256 76241c77e3244001109a2de1a0a716314bf8a4feb039799e40c1b9183780976d
SHA512 ddbd3f2a191f58d57a3cb5fb088c7ff608caa22e900c9f28e2c7c489a6930a6c979394f03787fb799d0dc9ebd36f447b1604fc7d69287883bb57229cac01d69e

memory/1116-122-0x0000000001160000-0x0000000001484000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eEAn0qcaD6Aq.bat

MD5 d4bc36b5dab9beca2ead75e55cdcb568
SHA1 4f48bec8f6d0a9e50f8863cdcbb8ea594eff1eda
SHA256 861b0259a45455737e263cb115fcbc79a5668862d3f153e4ac02bb57582e84b1
SHA512 eb6186664beabf8a18708a14e301bd3fb3affafb88abdb01cc969992bb47bc9ed09faf2303eb658fd3229a0ba47998aa7e2fbf993b646b90bded37c0aea07218

C:\Users\Admin\AppData\Local\Temp\KDOf3zF5H1Wg.bat

MD5 40393af952536ef306d6c0cd07c78cb3
SHA1 c055b267c6b184114f622c8a1f1c7f66d856051a
SHA256 f5faae36cc1057e04f1f38c93dcddaa99e6faeeb7903b343e17beaa98445d19d
SHA512 ce1f61f222a5d4ad66656606f44a40f52bc61c6d423bcb38c6be3e0de1a27703fb1c783776aeba1bd551fcf221d96f949332d57c9b1f9e9950d49f4accc7a29e

memory/1920-145-0x00000000003F0000-0x0000000000714000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5zDbpDGkiedn.bat

MD5 61a3ef50a55be54bbb71be14037941ad
SHA1 9bd2c451b466db9382cb91c9183786ca6312bfb9
SHA256 98533b2b338db80c96e2405a283d5b02a621c962f3a698677b8433eb7249eb4a
SHA512 1445fe697d5bc5f074b6194b5de21b710b05a347a60a619c75eecf8cfd613088168acdda77dcbd598660907ea023077ce24b0fbb0e8c5874c5a549a0c7169946

memory/1944-156-0x0000000000D60000-0x0000000001084000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DD5qZdC2v0he.bat

MD5 da9c1996b70db0228d90a2ce3d3cc341
SHA1 9112f3d4cc458483e50c1d6495b3e0a78f7ce250
SHA256 6bc8a6709e0d94e540235f834b1f838a31218076c802865050b50d2d833ebdb6
SHA512 426d03f3256600777acf7f3f1c3587cb5b597af42e665f59924da5819ccf3637ad487442c2f6207aaad0c8233859ded30731f650d67b9829a05764de7d4b6e78

memory/2884-168-0x0000000001370000-0x0000000001694000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nwBAUhCBqxYP.bat

MD5 fbec21052fda9416016a3d874523135e
SHA1 1a1fffc73247bd90bed690a0b04c94a9cbc0225d
SHA256 c9379c25e78ab8548c8fdc146d70cbca15f783bbf208a20712e85fc41564dc39
SHA512 ad9d7a89d8c84b43b24f9e0a7b70950cd76f0554dc402e820032943ae40998aeb0efbf7a59baddc04604f76db8800c6ca3953651cc21e25c3eeb904d7c759e44

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:24

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe N/A
File opened for modification C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\SolaraExecutor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4664 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4664 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4664 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 4664 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1784 wrote to memory of 2784 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1784 wrote to memory of 2784 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1784 wrote to memory of 4572 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1784 wrote to memory of 4572 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 4572 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4572 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4572 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4572 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4572 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 4572 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 4524 wrote to memory of 1520 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4524 wrote to memory of 1520 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4524 wrote to memory of 1008 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 4524 wrote to memory of 1008 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 1008 wrote to memory of 3736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1008 wrote to memory of 3736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1008 wrote to memory of 4736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1008 wrote to memory of 4736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1008 wrote to memory of 4272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 1008 wrote to memory of 4272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 4272 wrote to memory of 4868 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4272 wrote to memory of 4868 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4272 wrote to memory of 4644 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 4272 wrote to memory of 4644 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 4644 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4644 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4644 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4644 wrote to memory of 2188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4644 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 4644 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2652 wrote to memory of 4500 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2652 wrote to memory of 4500 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2652 wrote to memory of 4756 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2652 wrote to memory of 4756 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 4756 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4756 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4756 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4756 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4756 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 4756 wrote to memory of 2472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2472 wrote to memory of 2388 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2472 wrote to memory of 2388 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2472 wrote to memory of 5088 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2472 wrote to memory of 5088 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 5088 wrote to memory of 3244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5088 wrote to memory of 3244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5088 wrote to memory of 3328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5088 wrote to memory of 3328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 5088 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 5088 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 2364 wrote to memory of 468 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2364 wrote to memory of 468 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2364 wrote to memory of 3316 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 2364 wrote to memory of 3316 N/A C:\Windows\system32\SubDir\SolaraExecutor.exe C:\Windows\system32\cmd.exe
PID 3316 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3316 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3316 wrote to memory of 3652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3316 wrote to memory of 3652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3316 wrote to memory of 3984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe
PID 3316 wrote to memory of 3984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\SubDir\SolaraExecutor.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe

"C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W7lUz8pWMPpn.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\16ZVFvTZz0CJ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iPU1zKcBXY2l.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tfD9octdj03C.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCudxH9lkNFr.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeFbEV00Wwzy.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fytIjLcgCjOP.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2EPZmyYmsYuF.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wC8XrhgPClRM.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\26O8SILkCMi4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SvgLupwUcALz.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hux1T2XIq2Bb.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWKuUjNHFXWj.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IiE7ZcOOcVUd.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\SubDir\SolaraExecutor.exe

"C:\Windows\system32\SubDir\SolaraExecutor.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsjMQ4qbaTkr.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 nohchy-47404.portmap.host udp
US 8.8.8.8:53 udp

Files

memory/4664-0-0x00007FFFF7C63000-0x00007FFFF7C65000-memory.dmp

memory/4664-1-0x0000000000A30000-0x0000000000D54000-memory.dmp

memory/4664-2-0x00007FFFF7C60000-0x00007FFFF8721000-memory.dmp

C:\Windows\System32\SubDir\SolaraExecutor.exe

MD5 3cf4f19b7c69135acb3c4c9bb9cdfb90
SHA1 e2b5a40dd2abfa03671fde7c4e74f9b2846f989f
SHA256 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
SHA512 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

memory/1784-9-0x00007FFFF7C60000-0x00007FFFF8721000-memory.dmp

memory/4664-8-0x00007FFFF7C60000-0x00007FFFF8721000-memory.dmp

memory/1784-10-0x00007FFFF7C60000-0x00007FFFF8721000-memory.dmp

memory/1784-11-0x000000001BE80000-0x000000001BED0000-memory.dmp

memory/1784-12-0x000000001BF90000-0x000000001C042000-memory.dmp

memory/1784-17-0x00007FFFF7C60000-0x00007FFFF8721000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\W7lUz8pWMPpn.bat

MD5 070549048e8e636c807b7712d810adec
SHA1 e0f480cd300d6ae877e6b40d3eafb83e13c75534
SHA256 b72fbb8bcc31061d001943a29d685c0a7beec4e9083f1eb563fa4a42c59e6058
SHA512 60ad384d83f78aa5a3d04005bf444536477f024483db23c75cebbf53545eac0d79670faddbdfe0f7f219d49eb50bcf9ffa4cd4ec071dce749e191b0932f7ff76

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraExecutor.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

C:\Users\Admin\AppData\Local\Temp\16ZVFvTZz0CJ.bat

MD5 42a16d2653c8301d7a440acec0d7c599
SHA1 0ccdec5d54d22335cdc18e26b32ad3248b83249b
SHA256 7947e8abd5bae56cb3980ca9f8b7942895836ec4d5ce7841f6f1f5565c857a7e
SHA512 fa220b3e5b734420f4eb4a856102118897f4e426c55cc88b8b00c1111a5c77fc97207f2c9d1e2a7d47e0f7e379c9257783665b497b256a8524917a374d081390

C:\Users\Admin\AppData\Local\Temp\iPU1zKcBXY2l.bat

MD5 eb10acb7880f5e49f7837b539522a971
SHA1 d1dcc55ecaaf875a65c4c303d4af750ff5ff9e7b
SHA256 c4a10a643f041b610ef1d84539b39c973d2f859e62f2016ecd17c3386d86c75b
SHA512 ce147a19da372b976833cc8d41ca0915b7313115c0622c27431eec7e66539e65e7464530d4d8a27a91bcee492c795a43d15f42736b60bf59f95d4ee8bc6acb48

C:\Users\Admin\AppData\Local\Temp\tfD9octdj03C.bat

MD5 f155d0c10d4fc156fba3581f56d4807f
SHA1 35d7f4cd53ec3109ac508e228961c48fa811beb6
SHA256 46a9d4698abf34d87d53f13fec2b7bd2094fe5a5f2191f383faed25084241753
SHA512 257b8f2e2487e0f0033433e86a8245deef60557b4d2fbf24aa130c3e939cfd9b03c1150c3a4f57325fc396c607c74b2addeff3448dd80d51eb31216c5691c396

C:\Users\Admin\AppData\Local\Temp\WCudxH9lkNFr.bat

MD5 3df43601304ffce256a6f3b418b03434
SHA1 b8537bc4a1a3c738ee27a15720b64910ce8e2254
SHA256 78bcbcc7a87d14a8d98c4bd0a7b62858503f1d6033326b4b514c2eb1f9bbff38
SHA512 ddb103014a88fdcaeff8ee2a8cbfecb791ac91fce61b0d1bd47acee9589d98a141356a94e7308c516f46c5d394a18ecc2eec812a1eb2fde69aa5c102c9c1886b

C:\Users\Admin\AppData\Local\Temp\VeFbEV00Wwzy.bat

MD5 38193cab429c33fc2679e7431003f4f3
SHA1 f57888f8e7749cb09425fc57898fc47f310383c3
SHA256 7bf72f15b7f4a85791b9ef5363ee2dad93be666babb569e6d2a3d57cdba2a702
SHA512 6019ec08d9be7ed9e375f92ffbef7461a909507a63fa038e5311dc89deca666a722448172ec8f21a6fb39cb45719097ca56a8f519f4916d99505f4d5cc95d199

C:\Users\Admin\AppData\Local\Temp\fytIjLcgCjOP.bat

MD5 87568cd9af95148d9b35dbba41b8f330
SHA1 25d04d31440b93b3e2b502d2a7380d6303fdc41c
SHA256 7f480b1ab30645eb49bbe4505732eb606e777c64a8051f225998be48442f0fb6
SHA512 d94103999c3dd72c6d600fad0d7e93d57759a539d4a02c89126604bfe240f496ad8f6d87fd0963f3c8c9a87bc826730269339fae874fc2af56cdc3dc4d991c88

C:\Users\Admin\AppData\Local\Temp\2EPZmyYmsYuF.bat

MD5 0c88452007f4908fd748306a01446a90
SHA1 4440a55bb618485a0c9b3e0902ac38d589f5ac07
SHA256 0d25afaf76d52870d770930a184d14256aaaebe1ae711bb941953bbf34611c37
SHA512 f1d9ff78dcbd0f2a70cb8808d5e95fe684682766fa570a900298289d0ebaf62e65b40b2d1a00fd0888e26a17205feb6ea8a9db66000a94f0d66032cea575ccd7

C:\Users\Admin\AppData\Local\Temp\wC8XrhgPClRM.bat

MD5 d60f1414ba53f0445c10e5c8de3a33b8
SHA1 5a22ec80c0e547fd9c137968f150d20c95536d45
SHA256 a82122a55d481c0c5e3babec8aa201cd025f9f01fa6a7b6174ac2af9de7b0061
SHA512 c6c760ea0bfb13208a1e0313cf4df76be9516198be3bd29689879c7aca0255562444b5208e83bc285306159b88515882c1653fd4f0be27bc6ede7c3a424dcf4c

C:\Users\Admin\AppData\Local\Temp\26O8SILkCMi4.bat

MD5 440b296784dc2f4e831d12bf2c3c28ef
SHA1 88c9efb2d7003be87665f66bd0c488ca738f3930
SHA256 852f0865045eb7d2e78a8478dd92560076da0b23edc693c45658f7459f876993
SHA512 d7e75e1a95d9fdbc80bd72157ce65bc25d9a51d62384bd840b5d572f548585f45d20e2bd4525753640f8cdd60f355a8b3b349683160fc3742619953bc735ac87

C:\Users\Admin\AppData\Local\Temp\SvgLupwUcALz.bat

MD5 9775265be84061192297a83a83403c1f
SHA1 13cc01f0044b636c9876ae15a0d85ab87f1a0822
SHA256 f3f9c0e7d87c8841df93c0dfb817b4726bb6556a409b9d3b86636d068c57fff0
SHA512 a5821c4b1f6a7d580936cb9aafe16774099f5651044abd24bbde3bd6ccb7b37228876ab94538bf69750d64923c3ed4806db07017e1b7810880473445d143a378

C:\Users\Admin\AppData\Local\Temp\Hux1T2XIq2Bb.bat

MD5 48a08052aec2100a51a55ec2c4246d69
SHA1 59c7271cbf6c76d984b37145072649837ba42b7d
SHA256 68c194cbf1607b0a2ce4ee26e4942f6e6fcdbfcb0b528dac52f4dbfa4714e2cf
SHA512 b629faa78b9ce2b08dc84d6ca38852d10fafa4bcaa5927a4743e892189b9db3202266b6baae11645077393fb88e95a8d4c6d87920724f913cd4976a9d69c1daa

C:\Users\Admin\AppData\Local\Temp\TWKuUjNHFXWj.bat

MD5 aeb6b9875c59a725915266ef4b1dfbac
SHA1 a64b0a1ee69047552f76b55af392c815dc97b43f
SHA256 d53c36330516ccac7b1de8c7dd4ff7376878790d279fb3ced62c378a81d744e1
SHA512 eedb0662f7094afbf7c8d69e72f65d84083309d72779e0e36855ee69efa6667e18ef746ec83a94262983915726c306923a46ca7106b56a5b0caab256fdd1940f

C:\Users\Admin\AppData\Local\Temp\IiE7ZcOOcVUd.bat

MD5 5ecf5ae4ced512ea6e0d5b3cc700f62a
SHA1 325fb18e5120320ad930852cbf1a3fd3d2da284c
SHA256 4709a7fb3d85b793563be539465b84fd02cd292042e6368116ef6ab0ffae7a4d
SHA512 96367156b534afb36783c7397b8f1d6f5b69096dc201ac54050ea003e793b7f1f6ca33a864168bf7c270be078c2d18383b09dc0a9da633d5727ac7c4439b9d3a

C:\Users\Admin\AppData\Local\Temp\PsjMQ4qbaTkr.bat

MD5 66ef3d7e3bdaaac4ec44542d6821b2ea
SHA1 28928bb1c2f16223268f332f88b40e69a0f529fe
SHA256 59ad232060eb121284110bfe0be3d5eca0123a30367e6933e9f739f6e73a0746
SHA512 53541d7c23de5bdc75eab66e5845c31f964c574c9ecf715588f5c0f041c7e1bfaad43288478c83fe62ded4134b7a59647b0f0e47140d727b718b9c047c58bc3a