Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-08-2024 18:05

General

  • Target

    Solara.exe

  • Size

    3.1MB

  • MD5

    3cf4f19b7c69135acb3c4c9bb9cdfb90

  • SHA1

    e2b5a40dd2abfa03671fde7c4e74f9b2846f989f

  • SHA256

    6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf

  • SHA512

    4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

  • SSDEEP

    49152:DvehBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaxAtueYFoGdXTHHB72eh2NT:DvAt2d5aKCuVPzlEmVQ0wvwf+tuee

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

nohchy-47404.portmap.host:47404

Mutex

1a1e174b-dbf8-49ad-9b43-2cfbb233a6d9

Attributes
  • encryption_key

    795CDD46D2CDD422BE523F263B64E03D8B6AAD42

  • install_name

    SolaraExecutor.exe

  • log_directory

    Logs

  • reconnect_delay

    2000

  • startup_key

    RtkAudUService64

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3940
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1040
    • C:\Windows\system32\SubDir\SolaraExecutor.exe
      "C:\Windows\system32\SubDir\SolaraExecutor.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4360
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z4M5kiPTYYyu.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3468
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:5084
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2684
          • C:\Windows\system32\SubDir\SolaraExecutor.exe
            "C:\Windows\system32\SubDir\SolaraExecutor.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3248
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4488
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10NkFlgz8mo3.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1208
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4280
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1912
                • C:\Windows\system32\SubDir\SolaraExecutor.exe
                  "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:1104
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2912
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8Yl9PML3brQU.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3920
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:1904
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:4320
                      • C:\Windows\system32\SubDir\SolaraExecutor.exe
                        "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:4324
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:2300
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s2bIukoWT1E3.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2232
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:1084
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:4364
                            • C:\Windows\system32\SubDir\SolaraExecutor.exe
                              "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of WriteProcessMemory
                              PID:2124
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:2000
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fFHYGP0vUWNx.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4712
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:392
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:3152
                                  • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                    "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of WriteProcessMemory
                                    PID:3656
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:2240
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l7PwLQ4u8UkO.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:4536
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:2824
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:3736
                                        • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                          "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          PID:1820
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2600
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7VUJLkZOHxXU.bat" "
                                            15⤵
                                              PID:1384
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:4028
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:1908
                                                • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                  "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  PID:1920
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:3548
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i96WVCWjJemA.bat" "
                                                    17⤵
                                                      PID:3916
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:3804
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:4556
                                                        • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                          "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of FindShellTrayWindow
                                                          • Suspicious use of SendNotifyMessage
                                                          PID:3456
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4740
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h7QxbW05AjZj.bat" "
                                                            19⤵
                                                              PID:4532
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:2400
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:1484
                                                                • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                  "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of SendNotifyMessage
                                                                  PID:4436
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4800
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pdklk7DMGvcO.bat" "
                                                                    21⤵
                                                                      PID:1088
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:1412
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:1624
                                                                        • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                          "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • Suspicious use of FindShellTrayWindow
                                                                          • Suspicious use of SendNotifyMessage
                                                                          PID:3388
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:4524
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMaTqvpRpLak.bat" "
                                                                            23⤵
                                                                              PID:4360
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:3372
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:4664
                                                                                • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                  "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  PID:3928
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:3880
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUgUil5dJDin.bat" "
                                                                                    25⤵
                                                                                      PID:3844
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:3864
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:3592
                                                                                        • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                          "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                          • Suspicious use of SendNotifyMessage
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:4968
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:4112
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iXguQ6uo2gzG.bat" "
                                                                                            27⤵
                                                                                              PID:4516
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:4744
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:1280
                                                                                                • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                                  "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                  PID:528
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:2832
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D22bRPcIhzjU.bat" "
                                                                                                    29⤵
                                                                                                      PID:2416
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:2320
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:2224
                                                                                                        • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                                          "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                          PID:872
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:1872
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\53694SMDEX20.bat" "
                                                                                                            31⤵
                                                                                                              PID:5004
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                32⤵
                                                                                                                  PID:2364
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  32⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:896

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraExecutor.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    8f0271a63446aef01cf2bfc7b7c7976b

                                                    SHA1

                                                    b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                    SHA256

                                                    da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                    SHA512

                                                    78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                  • C:\Users\Admin\AppData\Local\Temp\10NkFlgz8mo3.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    40621cf419a4da2c974786fe716f5dad

                                                    SHA1

                                                    dbab41c31e99da0ae6786fa30df847750385e90e

                                                    SHA256

                                                    5afa70b6da475661b86e4a02dd414b4c2c441a468b021d55aa0abf685781fa1d

                                                    SHA512

                                                    38a243bbb6a0495dd9b3eab9f996acb61acef2ed17a06d75809aa040fdd96e8532f58d68b9ebc60d00f9b9c847e03d496bb1dfce11baa7938c40c585768da8ee

                                                  • C:\Users\Admin\AppData\Local\Temp\53694SMDEX20.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    6fdc4c06c7ac498106ee58807f233e52

                                                    SHA1

                                                    72a0ad95df4389358b2e45f7956c5c0d5fe2fa7d

                                                    SHA256

                                                    032f0593c8cb21039121b0521da9521b924d71f8a30cc13d9dd4a54d47e89d9d

                                                    SHA512

                                                    d1d01bef23b3f9d3bf59a4c78902ef2fe215b63782146a7c6c96957150bbcad562bc59ae42fcc6a9c385f319194dfbf4a31baab61851977d37ba122ddc2c7970

                                                  • C:\Users\Admin\AppData\Local\Temp\7VUJLkZOHxXU.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    266e0d962bf3b8926a98c0e03aba1987

                                                    SHA1

                                                    c052a3186f1e074bcff2334c99abec2311e96448

                                                    SHA256

                                                    5d7268d9723281442ec3e7105607acbac7d701ca9446375bcfe1fb500e72a600

                                                    SHA512

                                                    934d5ba14c01f9184532ca646e041c49f7af8bbc39087bb43e4b74ebf8ac514a93454d14307a443f28d34c624e5aee552e0ed1ba5eeb6773adeb841757a41157

                                                  • C:\Users\Admin\AppData\Local\Temp\8Yl9PML3brQU.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    9c6b4678c45b47807860741d61b85531

                                                    SHA1

                                                    13c3fed0c66254152edc41c5eb29aaf1c9d61405

                                                    SHA256

                                                    a4c66ce82dcc0bc69cce517506652c6908f9f92390f2bc728eb9e2da21a646eb

                                                    SHA512

                                                    d4774040a60aa5ef8f22bda643cf5190242f858309073e403c79777f1f9eddd914094c4a6d954e117ad932796b43a2d7bba6ba6b7f6bfa3e6bc19bcc8bd2bade

                                                  • C:\Users\Admin\AppData\Local\Temp\D22bRPcIhzjU.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    9fb104d375e27264d2fb51bfca5d2aeb

                                                    SHA1

                                                    071c29ba9a55b3e32f414305aa1895df9f5e0db1

                                                    SHA256

                                                    e8f5dd2779730c5ac6c95000ec5fa523d1544131d7f7edd6614ddc74be6b850b

                                                    SHA512

                                                    b1f7f2753309db5445b34dc0385f65666d54c4fea1840ed4817db7d430fa986a36d12a223e84242819331e961040922b3e01ca44f91da366673bd134e0de0596

                                                  • C:\Users\Admin\AppData\Local\Temp\QUgUil5dJDin.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    9271c2f9c5914c0d4a5804729fc1d8c3

                                                    SHA1

                                                    f0de19e1d621b8a4b4bb01da01cbde82488c7db8

                                                    SHA256

                                                    f5fd50f295a7cedf1dbd65e55b5c50ff659e7f535936e7217a4a26121f14e3cd

                                                    SHA512

                                                    67901d17ff82314d9bd6ccc8a9acc8c37a60cf3147b61c66140842a0c5c9b92ac8451365bb49ed6728402e4d376f811c624d164de8988b3570fd33677c373f04

                                                  • C:\Users\Admin\AppData\Local\Temp\Z4M5kiPTYYyu.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    1dc82f664339780b43b89f6d438f5f21

                                                    SHA1

                                                    74e93982973c30a55816bddb811f5d31b21656c3

                                                    SHA256

                                                    52439343a42346116db2808fb910008a897c7b2debb1140caf29e9cbd5b304ea

                                                    SHA512

                                                    76ae33f03fd6a502a6bf67d760501d9f2059182d7efed299d5ca345d708f2a51e7d4b8781394f46128af5d2879e2e9141a201a2ae1c2c4d2130344d73ad5d89f

                                                  • C:\Users\Admin\AppData\Local\Temp\fFHYGP0vUWNx.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    5f12e4f1fc7a02bb25bdc6f7dfbb67d4

                                                    SHA1

                                                    84a718bcfd75cd19a3cd6d28f94d822a0d04f417

                                                    SHA256

                                                    83dabee4f84c010d09503f0a4458c3e31647580cc0f3eb88c07899184f97dfaa

                                                    SHA512

                                                    305ba9ac515cf8e967af4e189b043f2f07a570cb2b66385b5f6f60816dffa412c8f7f20025fa04edd022fe1233b995b978e8107a2676feb6ffe5588fa41f5416

                                                  • C:\Users\Admin\AppData\Local\Temp\h7QxbW05AjZj.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    85851258bfa4af7aa35f54f8237e91fd

                                                    SHA1

                                                    d3dd2aced058c232a2ffd040efa0403dc548e437

                                                    SHA256

                                                    cc47f4d079efa584701ca208f295b61c8d3bad42ad14cb1b822890206aced61d

                                                    SHA512

                                                    bf6c60b42bc09108093a9f51781e6f8be6012695dbfe2bcf579f5d3e4b8ae4c6936693959611b989217c74bd7362b7a75e0da77002aed68877cc29f61aa6862a

                                                  • C:\Users\Admin\AppData\Local\Temp\i96WVCWjJemA.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    94e8a8ecdae8f6ea3954eefe7602f29c

                                                    SHA1

                                                    d891466fd7ce6ffbecd097032541b44f63c41655

                                                    SHA256

                                                    a6deff2f2958f25caed2d578588e8cb1b15bc7161158df63c14d3d280c1ac4fe

                                                    SHA512

                                                    6a73c7463cfa852133fd562085d63c58efdb2ed1c346194fab921e19d5d7e088d46a571ba5635d117872290fa875250b605c0fb0a8e9926e9c814a89aaf07f19

                                                  • C:\Users\Admin\AppData\Local\Temp\iXguQ6uo2gzG.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    cbfef2c0646910d07a4b9fa0bd900bb3

                                                    SHA1

                                                    5c74b9445d34199e34d56ef402b11f8ec7f006ca

                                                    SHA256

                                                    090892bc31ac0c5c95d5178d6df6829bc2cf87603d988fde52805e98d41f9c07

                                                    SHA512

                                                    03533a9a04fb89b9d47d4c444209c02b021e0fd8d5311efe9ef418ef553178d97fac38e0cb92bea011169245a6e2b4967e495c4cefc0878321558d50f39ca1ac

                                                  • C:\Users\Admin\AppData\Local\Temp\l7PwLQ4u8UkO.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    737f717a98dea834fa13e428cba42364

                                                    SHA1

                                                    45a33731948bce15cc41025d742c73aa3dafc266

                                                    SHA256

                                                    bc273305d5229737f83608447fd0128b268b81799789b0c1128617e7c037cab8

                                                    SHA512

                                                    ad2070636f72e1657b3e7c106ab5304f971b1ea9019640407c6a0c165d9e61a50a875be5b7cbbe5a2e5b13f13a55b69ee16d69db89ca49e7c91d1875e9c5545a

                                                  • C:\Users\Admin\AppData\Local\Temp\pdklk7DMGvcO.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    a9add417e62a366f1b42c49fc695ebd5

                                                    SHA1

                                                    721d138f07bbe3f01e75916c3841497f639a4ee0

                                                    SHA256

                                                    8a9be57a7fae7201ffff1e35b37e7dbe05fc5999b91af462541cae3ced5561e3

                                                    SHA512

                                                    5f53efd9b846c66b9829d4e1781c9d1ba9882941c533611bb0d568dcf16520d204d9a34e9dc0dadf74512ceed7baedaea9278649dafa8a68f890e58c4bfdb8be

                                                  • C:\Users\Admin\AppData\Local\Temp\rMaTqvpRpLak.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    93dff2489a392214aefa251575914f06

                                                    SHA1

                                                    07a5087bc077f40772d43aabb07f338f3ba78ac6

                                                    SHA256

                                                    40e876b8d3b6a036b1175c3fa35a9077cc58feee312d5fd9428c9272f92abca2

                                                    SHA512

                                                    5d42b0e6a4048197b609b65bccabc03d1e20e6f214dd3ca7af3cb5b59ba4cee4eba0a2b03aa87d48e85e9997c4aea1a98812364d2f9f3c9f0b6e978b7ee911e8

                                                  • C:\Users\Admin\AppData\Local\Temp\s2bIukoWT1E3.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    ec3b0e7eb36030290b8d71927a1ccb62

                                                    SHA1

                                                    3330a58b2abbf9673adb80761f1ae2d365770e20

                                                    SHA256

                                                    f97917fee1d8a6df63dd32a6dd194fafc6fa21a62e459dc1ac039cde97dd5a98

                                                    SHA512

                                                    eaa92554b51f40746b5bf6f3629b6fe8c44e945ce02029c455c8c0586ac3c993b5ff3caecfecc0a5b6c02cb119a535bd9c5ba57f0380e6126522990583e79e6b

                                                  • C:\Windows\System32\SubDir\SolaraExecutor.exe

                                                    Filesize

                                                    3.1MB

                                                    MD5

                                                    3cf4f19b7c69135acb3c4c9bb9cdfb90

                                                    SHA1

                                                    e2b5a40dd2abfa03671fde7c4e74f9b2846f989f

                                                    SHA256

                                                    6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf

                                                    SHA512

                                                    4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

                                                  • memory/3940-0-0x00007FFACED13000-0x00007FFACED15000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/3940-8-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3940-2-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/3940-1-0x0000000000F70000-0x0000000001294000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                  • memory/5040-10-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/5040-9-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/5040-17-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/5040-11-0x000000001BC20000-0x000000001BC70000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/5040-12-0x000000001BD30000-0x000000001BDE2000-memory.dmp

                                                    Filesize

                                                    712KB