Analysis Overview
SHA256
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
Threat Level: Known bad
The file Solara.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Quasar family
Executes dropped EXE
Checks computer location settings
Drops file in System32 directory
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Runs ping.exe
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-03 18:23
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-03 18:23
Reported
2024-08-03 18:25
Platform
win7-20240729-en
Max time kernel
143s
Max time network
17s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\Solara.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\Solara.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SK5H3Korz0Nr.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\iS0vXBTx76Oq.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\beIjAqYj6C0z.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Ri9sI293ECw4.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\O2DknaK2haHZ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\k2aD27vUHmUc.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\byK9SXkdgp8k.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4rinAEpdqkIa.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Wx4UDzm0raJA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\PVZXIWmrS2Nq.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IGBm0SBLYEQe.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nKsFkfG6mL8T.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\cEDflr4PDprn.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SK0VdrIKZnli.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Q5z56clmd1FE.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
Files
memory/2544-0-0x000007FEF68F3000-0x000007FEF68F4000-memory.dmp
memory/2544-1-0x0000000000AF0000-0x0000000000E14000-memory.dmp
memory/2544-2-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp
C:\Windows\System32\SubDir\SolaraExecutor.exe
| MD5 | 3cf4f19b7c69135acb3c4c9bb9cdfb90 |
| SHA1 | e2b5a40dd2abfa03671fde7c4e74f9b2846f989f |
| SHA256 | 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf |
| SHA512 | 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd |
memory/2300-9-0x00000000000B0000-0x00000000003D4000-memory.dmp
memory/2544-8-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp
memory/2300-7-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp
memory/2300-10-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SK5H3Korz0Nr.bat
| MD5 | 1e904951402540594e3973b60be84f3a |
| SHA1 | 1bb8916e0f09b68ddf27908a4126a2d96cfac2fe |
| SHA256 | f33dbd16664e0b8431c7d54633de6670bca32066b96f92c5707bd023de154c03 |
| SHA512 | 3cccca5195e06369e3e8848b93e90ca21d7dfb1ae1c5306911d21cc124a0095bad876ccfd2c2f58a589b0d42dccea6026da4986c57b0f0a9ea81e8c5ea432b1a |
memory/2300-20-0x000007FEF68F0000-0x000007FEF72DC000-memory.dmp
memory/2720-22-0x0000000000240000-0x0000000000564000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iS0vXBTx76Oq.bat
| MD5 | 5f01ec163e2840ef44aa8910e6e7945c |
| SHA1 | 1bbed0d1cac33db7734ca745f7d20593f0ba669b |
| SHA256 | 2d7482c76bca3ca62883c0987c98667cbf4042a92f653acfdc56298c19d65948 |
| SHA512 | 49567b6501645b67e05af9e76e4fc34192928d3b0d2b5be8c42401a44e589b92f0c931adc19424ac675fd8c2a6b6f4918fbc61fe8a9353f86711e7992e6e292f |
memory/2344-33-0x00000000009C0000-0x0000000000CE4000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\beIjAqYj6C0z.bat
| MD5 | 0aac68b6281df08809fe0f9d6e8f359b |
| SHA1 | c3e46dfdcb85dcf0dd707c6b458ebde0e39274ea |
| SHA256 | e10ca01e6e9463e6cb7004d5df6af9c63adf39f14dd76bfddcd76cc5fcef1ea2 |
| SHA512 | 5c8eb8b4ebc3fc715e47fcdd12263264c9976f9fa74e99ab526a4273694290ce9e2ccbba2abff7d35c6dcd8db67638d01cd344275d9f5b70b8de1129946defcc |
C:\Users\Admin\AppData\Local\Temp\Ri9sI293ECw4.bat
| MD5 | c81e29311a100e26e92a8947844fbe21 |
| SHA1 | fb4aa1f97e3218a17637854d27253c2131c4c8be |
| SHA256 | 6905ee241e9379c31c13eaa8e5724ae2e4ac646786a5eac2da6c53e4fd16701a |
| SHA512 | e12ec3c717e38ceb2e7fecdfa67b3cd66e40721f775330966765574a74125ae3333572fa429b0545e4f8a28ed86c066e12a341eb8849fa4c7e61c62dce7be4b4 |
memory/992-56-0x0000000000E40000-0x0000000001164000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\O2DknaK2haHZ.bat
| MD5 | 0f5d72c64a86ea20b6f168f6b54fe657 |
| SHA1 | c9696f4f041e9310f9bee98ae134c04d4ff61065 |
| SHA256 | d2f3e17ab4cd9a7c14e206d9e564412df154e1f307237205ac55d824ebef9fa5 |
| SHA512 | ab3ee8e9a50bee54af7ffb2f28c0cefb1622ea355b2feabaefd170a4642655598d5a83b5672d25db15ce98860f74f371de9c0c3c88198ea86e0aca6f13024e20 |
C:\Users\Admin\AppData\Local\Temp\k2aD27vUHmUc.bat
| MD5 | 8654d987fae705fc8e04b2b60b8003fc |
| SHA1 | 6e451129ee730a78948439fd510bfbfb4513cb72 |
| SHA256 | 78fceb7e52ed6aa1c212d3362163ed1c5a0a159cea804d5c36b8c78addec3d99 |
| SHA512 | 432784146bd245ead560d229dd841f27bf641f2b6eb7227b38fb916933b1b85b510fe2606a5225918110994abc98b6d4c33a9b1241792795c57f307a204597fd |
C:\Users\Admin\AppData\Local\Temp\byK9SXkdgp8k.bat
| MD5 | 9d4d839443bc9078e7fa3fd0b4051b66 |
| SHA1 | 4a8f6c5a81cb06abf977d38164f7fe614791d5a1 |
| SHA256 | 437319723ee9d8c1aa816a1bae7b88220480756578193fee7b65f8375297f6df |
| SHA512 | 66682df9cb6244125b5301c75f6a93a4d7dd0f39989993bff172dc815cfa49461509ba00bd57acaabddd75078be4336e3683a580fabaf1af0861fa3cce7b0245 |
memory/2804-89-0x0000000001170000-0x0000000001494000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4rinAEpdqkIa.bat
| MD5 | 2e28037f8280fa9cf37b1dcf113426f0 |
| SHA1 | 02138c5465618b6d895e8cf7cf02d7fc71193435 |
| SHA256 | 36b86a7e6b946f856d983d8c298e0ce03d7298be15b2b10d098eb027f81d14c6 |
| SHA512 | 8bc3e3dd8caf5e8b0b90907ab090c8fccd1e0b6d46a15cb491072edbac1992f698946364190f29d6fb8149ad4e0e827b74a5bd33b1d72d886d08dd1f4ed323a8 |
memory/2696-100-0x0000000001190000-0x00000000014B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Wx4UDzm0raJA.bat
| MD5 | 58df4c494ab48a771825a368b5a12f4b |
| SHA1 | 523ff1b181e92e857ece5a06d2841647c89819cf |
| SHA256 | 1bac8ff9b514d4a1495076495a4b78731d89c90cff77b7507e0bd0afac1d8e64 |
| SHA512 | 5ac08d05e409bef784ec14deb9c6b26087fcb1c939e79f6846d42fbbfb6622c510212932159d8f0b6ea7e635dc1f76a4e5f286125bfb06dcada472787bb21e5f |
C:\Users\Admin\AppData\Local\Temp\PVZXIWmrS2Nq.bat
| MD5 | 961eb5afc72e3107a5db40e4485a7a1f |
| SHA1 | 14589ec416210482a392e4dec315fd6cf7fcf505 |
| SHA256 | a5f8b777c40dfbfbcdc91c9c14ac9e390cc6c0b188724d9f6eab0bfa6282ec4c |
| SHA512 | c11b555be400e849e7bacdec9c2a58ebadca1cc8f15359a032ebc3d622d1cdd6e5d127de29898dcc39de6d0ff28c5f9e905940c15a7aadbd1380bb0e24f31da9 |
C:\Users\Admin\AppData\Local\Temp\IGBm0SBLYEQe.bat
| MD5 | 4028c31e6a2f0fd3d0bbbadedd6360ac |
| SHA1 | 7ca6c6bc84d0ad92a11eeb1d29e082871dce1d03 |
| SHA256 | db3556d82c5549a768e55aa0ebd7031ccce49b28eaa8bbfcb4d726e8c0bbbfb8 |
| SHA512 | 1204d42c4a5a0c963a77553f2a90b0d5aae377ed14bb4e7fa949298b697cb33386517da3ae2e875cf3d05f69c5e9a883317a57782ba65a4ac83bf2dd49a657fd |
C:\Users\Admin\AppData\Local\Temp\nKsFkfG6mL8T.bat
| MD5 | 498abdf9157efb2e0571d2ba1da7e0f0 |
| SHA1 | 177a22f8a12f6b527183183c8ec80fa330628293 |
| SHA256 | 9f555f7885848764c33e01ff99b236a1fcac13edef71003e9fe2c9df296b1f83 |
| SHA512 | f99cf4dcfd413d452f152ef1f59a46a4939b4d05d61d3ca99df81accd98666a5535d342a726d2593fb9c2012ce7e56d31127ed5641de5fb1d30c789bae382b51 |
memory/2400-144-0x0000000001230000-0x0000000001554000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cEDflr4PDprn.bat
| MD5 | efc7cfd002840a3cdac8d326ae41f201 |
| SHA1 | f27ecdfa6575f33265a646c0377a4428e80ce093 |
| SHA256 | 1e296a914457f8611b349e35df9f442dbe0d13710854be6493178d4f55221917 |
| SHA512 | ce39d7c38517f51ef41be12ab0f738d3bcb7558a3d5d982eb21d742f9fd41797ca69c86f5a02d4ce8d2f327355fcf7be6bbb48319abbe2222d4039ca5f0af1b6 |
C:\Users\Admin\AppData\Local\Temp\SK0VdrIKZnli.bat
| MD5 | 18d19f99185c50ffad2cc72c52279adb |
| SHA1 | a589fe9326e8dea1add7b254ac5feb83277b59ad |
| SHA256 | 9a861564c260c9a2bc3df68f9a83970eb5018a4b2abce05228645ff778ba43ce |
| SHA512 | 2d02808808ee90ac679e1ecb0895651506ed0740b16f7b0d9158d541e3ed9452844c52c7b71ece26e1701ce4ab388937747eb490cb350f1e6c3286207d44434b |
memory/2864-167-0x0000000001370000-0x0000000001694000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Q5z56clmd1FE.bat
| MD5 | 0e40bfca38e6d18f0741ab7e481913b4 |
| SHA1 | 48dd4e38353e0fa4b150c375cc0eb5d3f99c9320 |
| SHA256 | 43816504e5fb1efcb51f7ac58e2de20df9ba9e7fd84de2a41838ae3f4495da4d |
| SHA512 | efd34d3734de0d9938c5ee8f837a032a86a40b0605f73bf7c213f0633dfa43c34c835c7a9cc3316932488c6d7858e634047944ad4217b3d4bc65b1b75e9d18f9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-03 18:23
Reported
2024-08-03 18:25
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\Solara.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\Solara.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0TifzbZREaaA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KVHNKoo84m7I.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PCNZObr3IZBE.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eDVmalsg2rlK.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aNYJFrQrZNuu.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lF9Kh7HXrNpT.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ajD1xA4nKR2F.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCi1ZImwhHMm.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HW3c7NlhGQZx.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l5XCbTtHrfaJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EHqIkVX9LdFh.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyI0KxOf1H4O.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wptF5b7z9Lgl.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\V9V23lehc3Sg.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zR39jPqCVTgf.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
Files
memory/2860-0-0x00007FFCEFC63000-0x00007FFCEFC65000-memory.dmp
memory/2860-1-0x0000000000930000-0x0000000000C54000-memory.dmp
memory/2860-2-0x00007FFCEFC60000-0x00007FFCF0721000-memory.dmp
C:\Windows\System32\SubDir\SolaraExecutor.exe
| MD5 | 3cf4f19b7c69135acb3c4c9bb9cdfb90 |
| SHA1 | e2b5a40dd2abfa03671fde7c4e74f9b2846f989f |
| SHA256 | 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf |
| SHA512 | 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd |
memory/2636-9-0x00007FFCEFC60000-0x00007FFCF0721000-memory.dmp
memory/2860-8-0x00007FFCEFC60000-0x00007FFCF0721000-memory.dmp
memory/2636-10-0x00007FFCEFC60000-0x00007FFCF0721000-memory.dmp
memory/2636-11-0x000000001C7B0000-0x000000001C800000-memory.dmp
memory/2636-12-0x000000001C8C0000-0x000000001C972000-memory.dmp
memory/2636-17-0x00007FFCEFC60000-0x00007FFCF0721000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0TifzbZREaaA.bat
| MD5 | 1cd76710e4c313362519362848ebba08 |
| SHA1 | 7bd5d966ab36ba28a0c9bdd68cc952aa3798e432 |
| SHA256 | fabae4d1565ffc4dec7ef8b5e36a1ad883995fa8c285a54efad11eb345f34d10 |
| SHA512 | 1f8c7186a92a89558027c14444eac8c3df7656416dd6e86804e3d082464f4056f98790d7953fe4ddf162128453efe80a577e9e5637fa7529c9e1cdff802aad5f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraExecutor.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
C:\Users\Admin\AppData\Local\Temp\KVHNKoo84m7I.bat
| MD5 | 6461af99e4d0417acea664e6591b2703 |
| SHA1 | cee514ad1ab37449cd8d35648f053784f4478884 |
| SHA256 | 81a94b4ab4d37dab1eb9fe6aa6a195dc863a6e18b755de0fa404a5704d5c1f95 |
| SHA512 | 475598ad7b82e5b246749ee08f2aa698010d706638e6075f5c7cf3708e7e56c89483c23f25ea6d52e1e79adc5391dadef3804f29cc9d053149fff78a00fc13e1 |
C:\Users\Admin\AppData\Local\Temp\PCNZObr3IZBE.bat
| MD5 | 739dbe206824d7c992b5734f419a6b9a |
| SHA1 | 64cb449d596855d856835ac11623c7f4084f37a6 |
| SHA256 | a776b4ebca6a931f52a4f0c83ccd93b12c0c1429723773929d22565c46450304 |
| SHA512 | 207d0b05371a34a3d5bbd991271ac6ae03e819fbea367f843ef93e4cd3094a9c0a2e04a04fe7546017485145540c556d9d04f68998de182fe1fc36257201f2d4 |
C:\Users\Admin\AppData\Local\Temp\eDVmalsg2rlK.bat
| MD5 | bb9b1d674aa2c2791b86955d35f64412 |
| SHA1 | c0cd246e7ce234bb53a8f298b2a60cf591212be0 |
| SHA256 | 922ddd783b43e71a5cd0541cc2f63a3d7966df9ed884b3d28acf37887a6ba42c |
| SHA512 | 3b714e67a19df6d2ce4c8b513332fb634aaf2a2990563e80233a6291b2bf6bedd4f5e751c59a044cde9a0f6601909e539abeb91c9527081e9c619aa9cdaaed84 |
C:\Users\Admin\AppData\Local\Temp\aNYJFrQrZNuu.bat
| MD5 | a8c8490b338af057950cc63c8b1725a6 |
| SHA1 | 7b48cef79427ca6e9e09b112cb103b47c53e472f |
| SHA256 | 5c5ed0ebed4e41384cc1ef85d2c04cc43ac819ccdcf76068ab39538e51fb4e48 |
| SHA512 | aae5f0aad4cfe91fb062fdc1ddc70bc6ce684c60d7dbd400680481f85635733f4818de31c4126974da868be8e3352ceec3338a164f28d1dd2f955cfd59712aa3 |
C:\Users\Admin\AppData\Local\Temp\lF9Kh7HXrNpT.bat
| MD5 | e8e0d0f8fc5b771ce993197619dedd47 |
| SHA1 | ed45ec2415de9d45b43834fbc498301951990ef6 |
| SHA256 | 1baf7f0805050659d1191830f71ae0de684d0778206835d31cc517ccd7ff327d |
| SHA512 | 50de07b512cc7030f0d3a8e0594dfc056e44368ba7c0d880d8b91f023393bf8cd9b359ac77cbeb8564d21675ede8c7926cc7d1ec35734bf7f188f2ba7cd20386 |
C:\Users\Admin\AppData\Local\Temp\ajD1xA4nKR2F.bat
| MD5 | efa4ea0447615fe33763394a0c1f00be |
| SHA1 | c3579195fdd1506bdfd473ea2f5f1ce296425a12 |
| SHA256 | f35db88a314e471af2dd57c1e583b5f350e6177d94177b4eb523dd12493e1ff4 |
| SHA512 | e853a18d552e09c29f0963937ce5d50952abfe10fe74635403e214c427f01187bfd41870c70b934e90a99eb9bfb85617136fa6246fd7df431437d7d2e1db82f2 |
C:\Users\Admin\AppData\Local\Temp\FCi1ZImwhHMm.bat
| MD5 | 7c5470d423bc8039eb6a3f135ed32d43 |
| SHA1 | c878788ef6a352ab684e6241ba9f02ee5e7ca377 |
| SHA256 | ed7ff64ff3aa7f3266d02ee901d91fcec437944839f374c5f1e7fc89854fc8ab |
| SHA512 | 5f2759928316fb53f135ee7d50b55a64f94d703fa1eb5d0dc085c898d591d42233810a28d500d0c8c3dab7dcce2d715332b72142fc01f5197cbfbd8aaaa0c704 |
C:\Users\Admin\AppData\Local\Temp\HW3c7NlhGQZx.bat
| MD5 | 134ffb17bdec5ec5b32ba20bde8eef08 |
| SHA1 | 52a2e11b83095f69434824f02dd43a0de87d87c1 |
| SHA256 | 690286a3471e2979acec95bedda89059b4af11cb31d3f02cf1108aa24dcfdc63 |
| SHA512 | 1540437b03ee0412b3f5593135e15984db229cef03ba5391d4b1da24d8e36399d3a027802fb697a36d4b2d5f369f23429db9964d4d2cd52b4ce4d3cc80b81b09 |
C:\Users\Admin\AppData\Local\Temp\l5XCbTtHrfaJ.bat
| MD5 | 0448e9784ad8354ec9cf02966b7001dd |
| SHA1 | dd3a1cc8870e052b4d7b0daaba209e954e1bde90 |
| SHA256 | a364dd83598c837b4783b433a79ac856634e4e9342c413b825ef642289920c0d |
| SHA512 | 1eb98babacbe1146a6873ecce6d6ff1ac2a2b0e54342d026fb8f502bd4b10bc534941557c810c05c8f60e69463e47851ae213571d7cd59449159d72de41d10a0 |
C:\Users\Admin\AppData\Local\Temp\EHqIkVX9LdFh.bat
| MD5 | f01847bc0fab2b54e2281d85a6753f19 |
| SHA1 | 018a3ada069f2bddcee86ed08c280e2b989ed6ee |
| SHA256 | 21910cda11a7852ba15253d251ec3c52fc1286b33c9607bd985fd9b622c4e6e1 |
| SHA512 | 4bafdc821319ba871ea405557f12f7e2eaa8dc9278740dcac61a1cd5afd69922a3d3e8728f435d834af9dbdb456cca9656076c045d6912d4039319ceb762d9f5 |
C:\Users\Admin\AppData\Local\Temp\ZyI0KxOf1H4O.bat
| MD5 | 08d3d5615c7c7ac2c732045a26eaa862 |
| SHA1 | c42a4d1971908b4ffa93efb2f3c353d526eb2b34 |
| SHA256 | 1129d4cdc52531d47d3e6e0697306e4532936550b22863c5dbe1504e895ac5fa |
| SHA512 | d180431b9c1773a104e19e06dd55568bbfa2df4752e01325e65212d7e2bbe2c63c708f54d584e8c0eaf85310391530e81a84a8a15c3c01ad6031322e5be9288d |
C:\Users\Admin\AppData\Local\Temp\wptF5b7z9Lgl.bat
| MD5 | 67cd413d02ddd4c6cf021ebaba433655 |
| SHA1 | 3123de6fec570cad8d09e11517d3a989b86748f7 |
| SHA256 | ad5db7141a167e5cb716cc5af6626f4b010e4ccfc1bd4340e71bf33cc7a23e23 |
| SHA512 | 887545913536cb5bbfdf5a2733bc44a57dd356f996e75c6be193ca93ee5fa3a600eb069442d42b3519cd287fff6823d7ec8df817591ab3ab6ae6b2a6b5386e68 |
C:\Users\Admin\AppData\Local\Temp\V9V23lehc3Sg.bat
| MD5 | e67e7c45ba92c0847c524d80fe9f271d |
| SHA1 | 0ca8d830a5deed89f003343d1b1d55af83734790 |
| SHA256 | 94bf8152b92837575685435d7f52ce1c98dbcfc1a7283edd22fdb95a2c5b1b46 |
| SHA512 | 336c44da01fddb3aa9869ee6f38e1bcefcba822ba00aac895b4e39fe2ad627ebc91be5acaeddb28b2bb0c125397fc8b1f80dafd66f326d9f92af042ec89efe14 |
C:\Users\Admin\AppData\Local\Temp\zR39jPqCVTgf.bat
| MD5 | f0ecb3ecc92d79108905be24f939a705 |
| SHA1 | 8d8d3d8f61ae9023461b5c9fff9796b12bd1b3a4 |
| SHA256 | 6d84d9ed92a1ec4020a1e0886cbb863436c20bf862195836a7a488b0e1a0e148 |
| SHA512 | 791097a295e1e14aec5f7cea1a8fca23802d4ccd9d169367b910b68d1e6e3630ab0249a5bc7f2eacd1c0a308fc4ee98cfc720679c7a85d18d8fbe98fd6de9e18 |