Analysis Overview
SHA256
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
Threat Level: Known bad
The file Solara.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar family
Quasar payload
Checks computer location settings
Executes dropped EXE
Drops file in System32 directory
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Runs ping.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-03 18:05
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-03 18:05
Reported
2024-08-03 18:08
Platform
win7-20240708-en
Max time kernel
143s
Max time network
120s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\Solara.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\Solara.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\moLlStjofTS9.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\lRglklHhE4bX.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FSi7EoyLOKiS.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rHC7h9zfLSQx.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\SOPFxnNRDr2O.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7sjQBkStnEuj.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\7XncvzNxmQRJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fxx3to9kAoj2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\YcCOkuwfGPER.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9bWzBUkDZOQl.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\p1x4pjtB8tpf.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9DhqK0XZEwWR.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1xXAEkPyZz11.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\jhwnjh8vXAUZ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\itQWUOBR8mtC.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
Files
memory/1620-0-0x000007FEF5D63000-0x000007FEF5D64000-memory.dmp
memory/1620-1-0x0000000000F50000-0x0000000001274000-memory.dmp
memory/1620-2-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp
C:\Windows\System32\SubDir\SolaraExecutor.exe
| MD5 | 3cf4f19b7c69135acb3c4c9bb9cdfb90 |
| SHA1 | e2b5a40dd2abfa03671fde7c4e74f9b2846f989f |
| SHA256 | 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf |
| SHA512 | 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd |
memory/2368-8-0x00000000001A0000-0x00000000004C4000-memory.dmp
memory/1620-7-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp
memory/2368-9-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp
memory/2368-10-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\moLlStjofTS9.bat
| MD5 | a6a8a007d3d70a1d71c3ccdc8a4af65e |
| SHA1 | b2620c000f276af57cf0dd790b90e3254111a299 |
| SHA256 | 2474d9804237af78918f78c1e87546c103d97cbaeec4957700968aed8c656a04 |
| SHA512 | 99b6fb2cb850fe95e8c89b3cd7c6462eb2a4cce5f7f0bd153d4f95367d6f1cf6f45310e16b7a6e7bd1d8bb6f81241ea7279beee315be65748301d7b1de81150b |
memory/2368-19-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp
memory/2640-22-0x0000000000BF0000-0x0000000000F14000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lRglklHhE4bX.bat
| MD5 | c504f46305974f4f1f5f4cdc8e47b542 |
| SHA1 | 13d155f4f6714bf6f7fa9a360cf3c61b6cbb5a27 |
| SHA256 | 237d5a253e5eccc83f70f9ccbb53b824ccda2c006b895a234eab5a648dc2c9df |
| SHA512 | 12d3696c04776b70a98ec348dc092491a1769e86c1ad01098ff214d00799bf28855f64868db28e3449f717fda1bb24d0acbe281e863db9d39ef178473b976127 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\FSi7EoyLOKiS.bat
| MD5 | 6a6bf01af96ab275a8491dd3a24f4c29 |
| SHA1 | e29ade8ac3b7663ce4f5c43ecbba9d474c465bdf |
| SHA256 | 3dcf978a150753ba9552e9ef6e6b2d03a513adfbc99eb329622c3e123ed0f021 |
| SHA512 | 931f6acfd090ceac793f3a476304efe6635e11472c121be3d1fc623c6dee648c16f66ebdea3b054c9bf4eec26e5abcf38c9fed2bdaee2c20b426d78681b58a45 |
memory/1848-44-0x0000000000140000-0x0000000000464000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rHC7h9zfLSQx.bat
| MD5 | 47f6844370da316c29e4c57cefaf8aac |
| SHA1 | ac2d08dd7d144be1ea94b916b557c1ea852aa810 |
| SHA256 | 44180543079cf5451dba5d32dde23537cb7d56e3af6bfdbd7edeb836644c5ea7 |
| SHA512 | 51b63a7305e0a32e6292c6315629b7dcc595109b543e7a6dab74db136512a9a68dee50e48625bc0b916341801a434a06c0eb92c7f03af6a76d1df73942e25a7f |
memory/628-55-0x0000000000900000-0x0000000000C24000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SOPFxnNRDr2O.bat
| MD5 | 140a6051d5288d090a95c4356dd0aeb1 |
| SHA1 | 438f6280ea66590fcaeda4f000c57ae76be4a7f5 |
| SHA256 | 1dcd5a0a75b0903ef3fc5d33710a5e763952e033a1864e785c76963aab1e0e84 |
| SHA512 | f1eaf056533d417731ded0087654348a2c7af881fb7f34c2d2f07e92ef3f7623eb788fb52e466b4ba20feb189f57e5ca0b0b0c8917614823d4e7850d89e7e29f |
memory/1736-67-0x0000000000110000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7sjQBkStnEuj.bat
| MD5 | 7a1b656d02969666948de373c851da2c |
| SHA1 | 34410f44fd461b47cd5c0e2dac2d983eed44fd83 |
| SHA256 | f37e2d86cff7625a5310c46c920ff4393b2fc3a7bd57071b360f94e8a0805a71 |
| SHA512 | 400145e2d85eb54a04f69ed2c44624a67bfef2fa5c46237707f5528ca7e427e5bdc5ef9a05f9214b3b9bf477be9e4b1552895117285313a0eb9d8bf91ff2c6e6 |
memory/2148-78-0x0000000000CF0000-0x0000000001014000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7XncvzNxmQRJ.bat
| MD5 | bd3c7fc042804fcbc3f8a2fe2abb6f0c |
| SHA1 | ba4f0b74e97dbb4500965f33b2afec36f404aad9 |
| SHA256 | 4e2b06e82e3a593c5edecac0b27dc07f8e578bec918f4e6513506cb66ba5930d |
| SHA512 | d73e352931ca9e6453370fe042d7263f43428d95c71e19560dacf500de7c56ec8e13271531261a49fbe21ac08a0ffeb98e4c7e5b8f3443c5e7d39d6020342b3c |
memory/2544-90-0x00000000012F0000-0x0000000001614000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fxx3to9kAoj2.bat
| MD5 | 1d5963b75d0a5443dce734c11112685a |
| SHA1 | c4b70e28371598c6f2a9e4213b090086f0b825e0 |
| SHA256 | 1a681d742ed10613228ea28cb2e5f8aa31907083f63064bfb2d4b70141b29d43 |
| SHA512 | 8c97a8efb5eb250e7b986ac817ffd2c6d119c29d077e2495688bee69a56148a39876fc0fb00d76593b87849d5432e937de26f459c76312272fc1d4cc93aa818a |
C:\Users\Admin\AppData\Local\Temp\YcCOkuwfGPER.bat
| MD5 | 669a627e4edab7a8e3bd252b1ddc600a |
| SHA1 | a7003a2bbea36961b3052511a9d019fbbf0a5774 |
| SHA256 | 49d3787117a065f1b3dbb3b3a715b3e052b25b8699b59cb192fe248373dc1c20 |
| SHA512 | e45d824b6c06b621e6525a83b5c895906c5a1d44a928c056bc8f3f4b1b6190731ecc25c223cbacb840da083bf1b4d634fffda16737652890d4f82824e6000b5f |
C:\Users\Admin\AppData\Local\Temp\9bWzBUkDZOQl.bat
| MD5 | 065a999b55ebbe10f9a3e12821879de6 |
| SHA1 | 2a7c15a966aded3b9c0b520cc78f2f2ac5951163 |
| SHA256 | 246d399efea56710048699622c51c218de0bcc75524a641a41a2b85b5011dcdb |
| SHA512 | e419d405d9b59cd0a89313350a3bf9af97794803827eb299b7918d323eb71715f7ec14e112cb26917afe7199004284a93b31936597a7bdbbb7324988f9f9a2ac |
C:\Users\Admin\AppData\Local\Temp\p1x4pjtB8tpf.bat
| MD5 | 6785f4f898bfc376ce63d88ee9c25822 |
| SHA1 | 2eb8c0c9eec37fde827698529d001dab976a4cbe |
| SHA256 | 78d352e37a9edeb45548c7b738d98eba07094ffa1c5671f931b132fc0951fe1e |
| SHA512 | c31c8bf1cde69e34f5a54b1893c5939ad790adaa39cb6cdcd6dc118e4079b3b6de75d16044e42d170e49a2822a3ae0f34f4f1ab3f7752079f7ef7d44b4999f58 |
memory/2968-132-0x0000000000220000-0x0000000000544000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9DhqK0XZEwWR.bat
| MD5 | 74d095baf709e371cea45bd601bba1e8 |
| SHA1 | 4c20ffed811a17d2d1d9d0f1a8216271a5bc5323 |
| SHA256 | e786e1a43d400e1a36e19f5b0f1728fd30007eeead26f36adb6a89ba7c1cb923 |
| SHA512 | c16219f606d99d4b7dd3573a122c9d966dab905203b72e165570efaf8cda8de114dea0d628b2e4d4ae2dcfc39dc30fe295bb3fee8449958f8633ab72c70a68f7 |
memory/2996-143-0x00000000008E0000-0x0000000000C04000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1xXAEkPyZz11.bat
| MD5 | fb8bf7e8daf16ccf4c0448a79ba5fc47 |
| SHA1 | c4e44705889b03b5a6d631dbe498ab5bd75b55c5 |
| SHA256 | 7c504213dbe624a7e46f310524e3e1d948786630488d69167649772dcb425d11 |
| SHA512 | e9940c2a7c0aecb2ee9440f15f8da41b56e493e9a027dca15d760146df34fd8d9c209f8f3ef1e87aabef0e01ee61b83192054c24f1e8f0bbd6b416cade3d85e0 |
memory/740-154-0x0000000001210000-0x0000000001534000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jhwnjh8vXAUZ.bat
| MD5 | 1ebe8fbe88a2b248f67a842c4efa451a |
| SHA1 | db2d803644273b750ca40c49b257863f1475e4cf |
| SHA256 | b7d81befeb5727a8522f1baeef1c5507643edcd426cd909b42a0a173ce33ca4d |
| SHA512 | 70e839f1f5c0109a3eee22e31681d578ce61128e41b9f67db64348b9229caae7c8407d9aae420b90ad5ed4b04d4e746db917de43eb8f29a4b11ba12f4dc4c00a |
memory/584-165-0x0000000000070000-0x0000000000394000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\itQWUOBR8mtC.bat
| MD5 | 3a29fe0c6e4251e9f60bcb6b126d4809 |
| SHA1 | 5e825fb7e758555cc3a711e0649797c881491bef |
| SHA256 | 3ec75d5801f47cccf048f45e7622536d837188ed392fd017979f20575c48c4fb |
| SHA512 | e85bc319c30193cd5a3c5dd020181a6075e07e92b1625b8ec3bdff5cea74171012edc4e92654628aec12b76e3695c5d026e0781191d128e61864d461e5be499e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-03 18:05
Reported
2024-08-03 18:08
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\Solara.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\Solara.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z4M5kiPTYYyu.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\10NkFlgz8mo3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8Yl9PML3brQU.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s2bIukoWT1E3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fFHYGP0vUWNx.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\l7PwLQ4u8UkO.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7VUJLkZOHxXU.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\i96WVCWjJemA.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h7QxbW05AjZj.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pdklk7DMGvcO.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMaTqvpRpLak.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QUgUil5dJDin.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iXguQ6uo2gzG.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D22bRPcIhzjU.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\53694SMDEX20.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 38.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
Files
memory/3940-0-0x00007FFACED13000-0x00007FFACED15000-memory.dmp
memory/3940-1-0x0000000000F70000-0x0000000001294000-memory.dmp
memory/3940-2-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp
C:\Windows\System32\SubDir\SolaraExecutor.exe
| MD5 | 3cf4f19b7c69135acb3c4c9bb9cdfb90 |
| SHA1 | e2b5a40dd2abfa03671fde7c4e74f9b2846f989f |
| SHA256 | 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf |
| SHA512 | 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd |
memory/3940-8-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp
memory/5040-9-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp
memory/5040-10-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp
memory/5040-11-0x000000001BC20000-0x000000001BC70000-memory.dmp
memory/5040-12-0x000000001BD30000-0x000000001BDE2000-memory.dmp
memory/5040-17-0x00007FFACED10000-0x00007FFACF7D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Z4M5kiPTYYyu.bat
| MD5 | 1dc82f664339780b43b89f6d438f5f21 |
| SHA1 | 74e93982973c30a55816bddb811f5d31b21656c3 |
| SHA256 | 52439343a42346116db2808fb910008a897c7b2debb1140caf29e9cbd5b304ea |
| SHA512 | 76ae33f03fd6a502a6bf67d760501d9f2059182d7efed299d5ca345d708f2a51e7d4b8781394f46128af5d2879e2e9141a201a2ae1c2c4d2130344d73ad5d89f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraExecutor.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
C:\Users\Admin\AppData\Local\Temp\10NkFlgz8mo3.bat
| MD5 | 40621cf419a4da2c974786fe716f5dad |
| SHA1 | dbab41c31e99da0ae6786fa30df847750385e90e |
| SHA256 | 5afa70b6da475661b86e4a02dd414b4c2c441a468b021d55aa0abf685781fa1d |
| SHA512 | 38a243bbb6a0495dd9b3eab9f996acb61acef2ed17a06d75809aa040fdd96e8532f58d68b9ebc60d00f9b9c847e03d496bb1dfce11baa7938c40c585768da8ee |
C:\Users\Admin\AppData\Local\Temp\8Yl9PML3brQU.bat
| MD5 | 9c6b4678c45b47807860741d61b85531 |
| SHA1 | 13c3fed0c66254152edc41c5eb29aaf1c9d61405 |
| SHA256 | a4c66ce82dcc0bc69cce517506652c6908f9f92390f2bc728eb9e2da21a646eb |
| SHA512 | d4774040a60aa5ef8f22bda643cf5190242f858309073e403c79777f1f9eddd914094c4a6d954e117ad932796b43a2d7bba6ba6b7f6bfa3e6bc19bcc8bd2bade |
C:\Users\Admin\AppData\Local\Temp\s2bIukoWT1E3.bat
| MD5 | ec3b0e7eb36030290b8d71927a1ccb62 |
| SHA1 | 3330a58b2abbf9673adb80761f1ae2d365770e20 |
| SHA256 | f97917fee1d8a6df63dd32a6dd194fafc6fa21a62e459dc1ac039cde97dd5a98 |
| SHA512 | eaa92554b51f40746b5bf6f3629b6fe8c44e945ce02029c455c8c0586ac3c993b5ff3caecfecc0a5b6c02cb119a535bd9c5ba57f0380e6126522990583e79e6b |
C:\Users\Admin\AppData\Local\Temp\fFHYGP0vUWNx.bat
| MD5 | 5f12e4f1fc7a02bb25bdc6f7dfbb67d4 |
| SHA1 | 84a718bcfd75cd19a3cd6d28f94d822a0d04f417 |
| SHA256 | 83dabee4f84c010d09503f0a4458c3e31647580cc0f3eb88c07899184f97dfaa |
| SHA512 | 305ba9ac515cf8e967af4e189b043f2f07a570cb2b66385b5f6f60816dffa412c8f7f20025fa04edd022fe1233b995b978e8107a2676feb6ffe5588fa41f5416 |
C:\Users\Admin\AppData\Local\Temp\l7PwLQ4u8UkO.bat
| MD5 | 737f717a98dea834fa13e428cba42364 |
| SHA1 | 45a33731948bce15cc41025d742c73aa3dafc266 |
| SHA256 | bc273305d5229737f83608447fd0128b268b81799789b0c1128617e7c037cab8 |
| SHA512 | ad2070636f72e1657b3e7c106ab5304f971b1ea9019640407c6a0c165d9e61a50a875be5b7cbbe5a2e5b13f13a55b69ee16d69db89ca49e7c91d1875e9c5545a |
C:\Users\Admin\AppData\Local\Temp\7VUJLkZOHxXU.bat
| MD5 | 266e0d962bf3b8926a98c0e03aba1987 |
| SHA1 | c052a3186f1e074bcff2334c99abec2311e96448 |
| SHA256 | 5d7268d9723281442ec3e7105607acbac7d701ca9446375bcfe1fb500e72a600 |
| SHA512 | 934d5ba14c01f9184532ca646e041c49f7af8bbc39087bb43e4b74ebf8ac514a93454d14307a443f28d34c624e5aee552e0ed1ba5eeb6773adeb841757a41157 |
C:\Users\Admin\AppData\Local\Temp\i96WVCWjJemA.bat
| MD5 | 94e8a8ecdae8f6ea3954eefe7602f29c |
| SHA1 | d891466fd7ce6ffbecd097032541b44f63c41655 |
| SHA256 | a6deff2f2958f25caed2d578588e8cb1b15bc7161158df63c14d3d280c1ac4fe |
| SHA512 | 6a73c7463cfa852133fd562085d63c58efdb2ed1c346194fab921e19d5d7e088d46a571ba5635d117872290fa875250b605c0fb0a8e9926e9c814a89aaf07f19 |
C:\Users\Admin\AppData\Local\Temp\h7QxbW05AjZj.bat
| MD5 | 85851258bfa4af7aa35f54f8237e91fd |
| SHA1 | d3dd2aced058c232a2ffd040efa0403dc548e437 |
| SHA256 | cc47f4d079efa584701ca208f295b61c8d3bad42ad14cb1b822890206aced61d |
| SHA512 | bf6c60b42bc09108093a9f51781e6f8be6012695dbfe2bcf579f5d3e4b8ae4c6936693959611b989217c74bd7362b7a75e0da77002aed68877cc29f61aa6862a |
C:\Users\Admin\AppData\Local\Temp\pdklk7DMGvcO.bat
| MD5 | a9add417e62a366f1b42c49fc695ebd5 |
| SHA1 | 721d138f07bbe3f01e75916c3841497f639a4ee0 |
| SHA256 | 8a9be57a7fae7201ffff1e35b37e7dbe05fc5999b91af462541cae3ced5561e3 |
| SHA512 | 5f53efd9b846c66b9829d4e1781c9d1ba9882941c533611bb0d568dcf16520d204d9a34e9dc0dadf74512ceed7baedaea9278649dafa8a68f890e58c4bfdb8be |
C:\Users\Admin\AppData\Local\Temp\rMaTqvpRpLak.bat
| MD5 | 93dff2489a392214aefa251575914f06 |
| SHA1 | 07a5087bc077f40772d43aabb07f338f3ba78ac6 |
| SHA256 | 40e876b8d3b6a036b1175c3fa35a9077cc58feee312d5fd9428c9272f92abca2 |
| SHA512 | 5d42b0e6a4048197b609b65bccabc03d1e20e6f214dd3ca7af3cb5b59ba4cee4eba0a2b03aa87d48e85e9997c4aea1a98812364d2f9f3c9f0b6e978b7ee911e8 |
C:\Users\Admin\AppData\Local\Temp\QUgUil5dJDin.bat
| MD5 | 9271c2f9c5914c0d4a5804729fc1d8c3 |
| SHA1 | f0de19e1d621b8a4b4bb01da01cbde82488c7db8 |
| SHA256 | f5fd50f295a7cedf1dbd65e55b5c50ff659e7f535936e7217a4a26121f14e3cd |
| SHA512 | 67901d17ff82314d9bd6ccc8a9acc8c37a60cf3147b61c66140842a0c5c9b92ac8451365bb49ed6728402e4d376f811c624d164de8988b3570fd33677c373f04 |
C:\Users\Admin\AppData\Local\Temp\iXguQ6uo2gzG.bat
| MD5 | cbfef2c0646910d07a4b9fa0bd900bb3 |
| SHA1 | 5c74b9445d34199e34d56ef402b11f8ec7f006ca |
| SHA256 | 090892bc31ac0c5c95d5178d6df6829bc2cf87603d988fde52805e98d41f9c07 |
| SHA512 | 03533a9a04fb89b9d47d4c444209c02b021e0fd8d5311efe9ef418ef553178d97fac38e0cb92bea011169245a6e2b4967e495c4cefc0878321558d50f39ca1ac |
C:\Users\Admin\AppData\Local\Temp\D22bRPcIhzjU.bat
| MD5 | 9fb104d375e27264d2fb51bfca5d2aeb |
| SHA1 | 071c29ba9a55b3e32f414305aa1895df9f5e0db1 |
| SHA256 | e8f5dd2779730c5ac6c95000ec5fa523d1544131d7f7edd6614ddc74be6b850b |
| SHA512 | b1f7f2753309db5445b34dc0385f65666d54c4fea1840ed4817db7d430fa986a36d12a223e84242819331e961040922b3e01ca44f91da366673bd134e0de0596 |
C:\Users\Admin\AppData\Local\Temp\53694SMDEX20.bat
| MD5 | 6fdc4c06c7ac498106ee58807f233e52 |
| SHA1 | 72a0ad95df4389358b2e45f7956c5c0d5fe2fa7d |
| SHA256 | 032f0593c8cb21039121b0521da9521b924d71f8a30cc13d9dd4a54d47e89d9d |
| SHA512 | d1d01bef23b3f9d3bf59a4c78902ef2fe215b63782146a7c6c96957150bbcad562bc59ae42fcc6a9c385f319194dfbf4a31baab61851977d37ba122ddc2c7970 |