Analysis Overview
SHA256
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
Threat Level: Known bad
The file Solara.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar family
Quasar payload
Checks computer location settings
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Runs ping.exe
Suspicious use of SendNotifyMessage
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-03 18:13
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-03 18:13
Reported
2024-08-03 18:15
Platform
win7-20240708-en
Max time kernel
143s
Max time network
119s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\Solara.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\Solara.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\j4ZIm2q79PQm.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\TEqlycYOIjew.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8ctdHvfJUQrj.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\T5ja72VNO0Ao.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9bV0V6rE9Pod.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\NW6GmEIm0IiR.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\EgF7GwxB1GFZ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\aX5WAmpdNPNR.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HijkBihCFRNO.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\vvkDfZCmQJS1.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\yVeCWrgwT9wZ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\zjbJM0Yyo9OU.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\xM9IQCUGrp7G.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\0tK1QKop3iHL.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\atWohEgIoK0l.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
Files
memory/1528-0-0x000007FEF5263000-0x000007FEF5264000-memory.dmp
memory/1528-1-0x00000000009F0000-0x0000000000D14000-memory.dmp
memory/1528-2-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
C:\Windows\System32\SubDir\SolaraExecutor.exe
| MD5 | 3cf4f19b7c69135acb3c4c9bb9cdfb90 |
| SHA1 | e2b5a40dd2abfa03671fde7c4e74f9b2846f989f |
| SHA256 | 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf |
| SHA512 | 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd |
memory/3040-7-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
memory/1528-8-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
memory/3040-9-0x0000000001340000-0x0000000001664000-memory.dmp
memory/3040-10-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\j4ZIm2q79PQm.bat
| MD5 | 1ae85b7ad9eae704f6b8377121c27906 |
| SHA1 | 978ef070c9956a0e8ad21c3bee54978638f91795 |
| SHA256 | e1d3a07ba65ab639ba3c38e77273d0d482dbfcb09135e62b05e1e8afe14b1607 |
| SHA512 | 47e354aaa30b8434e8d25476b3dc11469c90d07f8ee3eac1abf46f6f767840d28e10b9db7807a2ba73d72cb8157b74c2d2a85ce8ef0b36d396946eabcca6376f |
memory/3040-20-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TEqlycYOIjew.bat
| MD5 | 57276dcab44c5852c9e4b6edf7c455d8 |
| SHA1 | aa483ff2619d19bd316feaf141e210658724af6e |
| SHA256 | b23f32bf77ce242498758057924f443cb8ca6469f820d88d8552e509028113b7 |
| SHA512 | e0dbcb48b22dbdbd12e0607ef504d182ceec4a1f87d0555dcd81b0a24f9ae974053c965ed21a9ced2be59c5c875a69e4e6f8bba1311f5429f55d646d9ba706f1 |
memory/1712-32-0x0000000000310000-0x0000000000634000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8ctdHvfJUQrj.bat
| MD5 | 6c0eb6b81db45eec90df2433ded7e25e |
| SHA1 | 17cd19b0dae654ae717fe6f8c6557dbefd1494e8 |
| SHA256 | ddffc9422b9f0bdca7e99da78eaef7bc3fe265de8399cae52138ea1a628638f3 |
| SHA512 | f7830377b1b3bbc21eccde9cb99f60da1cb8744f516b8eab6ccf4b60c6737b3a3b700102e2d757c939422f8f9cdd24fb8cf3deafa7760aec9a05915dfc04c039 |
memory/684-43-0x00000000000E0000-0x0000000000404000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\T5ja72VNO0Ao.bat
| MD5 | 754c35adf6dbec8a6cdd9b9cff1b274b |
| SHA1 | 1651783687450c6c317b1c4b0d9e2f78a2486ed9 |
| SHA256 | eef191ead12765ba80aa33a596012b0c0b65b8b28425379cd80355b95eccc01c |
| SHA512 | f11028b306533e0e3db33a5758d9f672b31281da816ad6d8dbd27424a5bee32c5e6dc547c1c5468ea6d49ed78974d3cbde1cd31726a5637900acc3efdb05e470 |
memory/1128-55-0x0000000001300000-0x0000000001624000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9bV0V6rE9Pod.bat
| MD5 | 409b5271edb07fdbb22d507578c79aba |
| SHA1 | 0c10f878b7a6c81ea2fb178aa455aef50387ab0b |
| SHA256 | 551c280be21c249095615039aad7d34dd1aa70b5187064e1d6d5b6e450653441 |
| SHA512 | dcdc4d1b8e5a0d2bfa4fdff166deeddeaa3d940a78516c113da74913d12e39706809c248bd193399b9ce1f9e79a8bd2cd2ee651a9941b30ee645ec096af93ff1 |
C:\Users\Admin\AppData\Local\Temp\NW6GmEIm0IiR.bat
| MD5 | 59d6184a86a395862bac3222e0795b25 |
| SHA1 | 18fc4f91c094fd0bc2d890983671042e2e42e18b |
| SHA256 | 0de8c77e2012368326e3fab0ef83f43351190f7b8ea87c62511897a4decacf8d |
| SHA512 | 6f0232697ed3d1e60a2caa82fa0a5ae4714ed5fdbe4ca6f9fefa47f1f58c150f09a1484c7789c041d1ed28abfa12a7482f1367516579b8effc9fb144c336b505 |
C:\Users\Admin\AppData\Local\Temp\EgF7GwxB1GFZ.bat
| MD5 | 443a2387c249d6d1e54255347688ac0e |
| SHA1 | 1f7ae829cb9c3f65e823246dce09c292f33df48e |
| SHA256 | 49e40b34550f4f96cb800a59b4c8a75a431edc11e0f2498734940c391a6cf0bb |
| SHA512 | af63485b8f70e8435136618807e7c38162c7593f6c0fedb8a85253302c74950fed346aa9c93e9e4d3ec46b13a67f94a4ce36238c2f4198f03282d3d7d4ac572c |
C:\Users\Admin\AppData\Local\Temp\aX5WAmpdNPNR.bat
| MD5 | df0c45557f79c600853f450db8b08b0b |
| SHA1 | 3bc81b9b100fa7ca1c6df2097edc1e764ae49d5c |
| SHA256 | ec0918c76c366f5c5ec0d61e42af8ffb8db54eb84059921422285ee37e8b8b5e |
| SHA512 | ce875b7b16e215f4713682822658212aa5b3b73fd37ba8195349801728bd5da4768a9fe331d3d7c37c808aafe8f6781f141fd52a20782530cf517af88a4cf234 |
memory/2724-96-0x00000000000F0000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\HijkBihCFRNO.bat
| MD5 | c789fafce38765e6997fc94f61b4b033 |
| SHA1 | 14ed44521afc26f68ad8dd85f6a0d1849ae54d26 |
| SHA256 | 82f4c9f8eb73e900777e8c33036efa8927c4314e72319e0d11f990ad9e884ae6 |
| SHA512 | 1acf2032da901e6c2b783a5af7f1d9c02c86758d401d58c26a95bb3737a8631e95ee03f2df3ab4fe49dc59040bee167a84f18655b3a58b94ee8deeff7dbb9562 |
memory/1324-108-0x00000000011E0000-0x0000000001504000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vvkDfZCmQJS1.bat
| MD5 | 7dd27d1c93a4bcd71ce4ff5b2c4d1de2 |
| SHA1 | 29d3bcdfa1646297110e83668e84d5df3d88dd09 |
| SHA256 | 2d526a8a5be46b9237a9fe47cf314437ac796f4d3d49fa05f92b7601ba4d5435 |
| SHA512 | 5cc7a3a76f1d9b54c63df382b7aee5056bffacfe15a0f555525589e651e2b86b74295053820f2bdc91ffcad1483e6b65920d0e2cc510f1a12da3ded980b8ecf4 |
memory/2244-119-0x0000000000030000-0x0000000000354000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yVeCWrgwT9wZ.bat
| MD5 | 2fa21fc29389715b5f6629e48f8cbc99 |
| SHA1 | 438fd8d10f338313a3fefb974eed2e263d446d4e |
| SHA256 | 25e17bfbcaab275b6b4c9ad8e9299d4e7f069c2c7b8c635cd54ce3a9d55fabd7 |
| SHA512 | 4033294a1a4844f624f6ce778f4f3ebf4b5bf338fb30432c654e91efbe4f37c0dc0c865fea84b4a4aadd147ea22b9957816fc648133e3c53249dfa1915adac17 |
memory/2340-131-0x0000000000E20000-0x0000000001144000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zjbJM0Yyo9OU.bat
| MD5 | 27ad95411f6b6fff7dabf03bb4f29cf2 |
| SHA1 | 6ba909350dd88f0eae83b166b2a5e61e7a0d1559 |
| SHA256 | 73ea208958851eef98508170dc0f880dcde0a6c408e8bbd5465a82f1e6dda60e |
| SHA512 | fe49784aab1535f30b621f7191c5fdf8a43ff68605eb5c0f3ce1fef225ed6496d5dbd024cf8ff77c2991e5f0c0c32938ddb55684ec04755a6b05bf29c60aa90d |
memory/1696-142-0x0000000000150000-0x0000000000474000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xM9IQCUGrp7G.bat
| MD5 | 86b95b9bb5742c553faedef171a2c959 |
| SHA1 | ea628b5523a4646920bfb22833bfc1bdeba47ca3 |
| SHA256 | 40b134b644e4205b4fb734e26eed310c1873f1361b7ad33eff13ad22857f217a |
| SHA512 | 0dd600603a7317e1b2ace4c5cbce8abf9e4696fab8c68e46e48811d5bb85f8d9248da5bc79e5c75b6db5f376930cbaec2fa15f6b9784b60d495d08ed183059af |
C:\Users\Admin\AppData\Local\Temp\0tK1QKop3iHL.bat
| MD5 | aba5421d8d08bf2dcca99b2a77293b9c |
| SHA1 | 1cfe54ca57f55a3a4bb3fedd7ebc62a4c76ca57b |
| SHA256 | 15b504c07c0c341a4e7a5d1c9ca88bcb5607c545584ecbb08dcd89c267407dcc |
| SHA512 | 2f83cc226b63ec89667cd0267d69a7e5efc18919202afa8571f693387fc5e79887c29fe7a73f15291270690eed5b50d67e8d013762f4f241b4d52bcca778d1fe |
memory/2092-164-0x0000000000330000-0x0000000000654000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\atWohEgIoK0l.bat
| MD5 | 8adbfb6bb69099919b6185edbcb85fed |
| SHA1 | a27a886187f9239f8f31f78b5d8accb1bea5e02f |
| SHA256 | 6bdc3868ff7e2166dafcc398d70001e46108bee24f149de6727cbe9907c0e5ca |
| SHA512 | 2701c210dd2e4d03337383e472fb5118e7b54a995e4b15f22a360997903f63ce1127f3ec393d1104a700dab1518740b13dc82abbe8ef4db1ef6f72cf61093c12 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-03 18:13
Reported
2024-08-03 18:15
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\Solara.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\Solara.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5QFkUt3cDapL.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7BmAPOcdQF39.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R8tZY8snGbl3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jJcuK8sLY2HQ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D7Gd0Mm1JUAx.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\f54mdRJ7DHiv.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KOWhqt9EUo4V.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cRQLj3y7txvC.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G0tqoFsdUxFn.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZZS3DYp0DMv8.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KC0MNA3b7FyV.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rWUMf2QesGEc.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6cM2Kk1JMd6n.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BcBduRfB5F3C.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ThJkxFEg4FoF.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/3992-0-0x00007FFEAD823000-0x00007FFEAD825000-memory.dmp
memory/3992-1-0x0000000000880000-0x0000000000BA4000-memory.dmp
memory/3992-2-0x00007FFEAD820000-0x00007FFEAE2E1000-memory.dmp
C:\Windows\System32\SubDir\SolaraExecutor.exe
| MD5 | 3cf4f19b7c69135acb3c4c9bb9cdfb90 |
| SHA1 | e2b5a40dd2abfa03671fde7c4e74f9b2846f989f |
| SHA256 | 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf |
| SHA512 | 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd |
memory/3992-8-0x00007FFEAD820000-0x00007FFEAE2E1000-memory.dmp
memory/5076-9-0x00007FFEAD820000-0x00007FFEAE2E1000-memory.dmp
memory/5076-10-0x00007FFEAD820000-0x00007FFEAE2E1000-memory.dmp
memory/5076-11-0x000000001C990000-0x000000001C9E0000-memory.dmp
memory/5076-12-0x000000001CAA0000-0x000000001CB52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5QFkUt3cDapL.bat
| MD5 | db9984b04057b514bc356dd572a5bd34 |
| SHA1 | 22a9d7e4bd3d1b89bd0207334765ebde0eaf2fd4 |
| SHA256 | 5d4831801ef77c4baeb250c9144b061dc3fead873956218c2b4ec31db29fd70f |
| SHA512 | 397a7b14812dc109fe59466dd2a200f9e121418c5765c16840c26493e5f843a6d63ff7377077519e7e753abdec72ebfd56bf019c93778876cd647fe0cb60c2af |
memory/5076-18-0x00007FFEAD820000-0x00007FFEAE2E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraExecutor.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
C:\Users\Admin\AppData\Local\Temp\7BmAPOcdQF39.bat
| MD5 | 1e4d438d8dd74c02329e6c7379ef2522 |
| SHA1 | 621a1cb8c977b61094afb146e5b74ab6a16654c4 |
| SHA256 | ff91acc7b62ad10f3a0d3a6ad51428a1ba5b0cd06f5b340e9b582f38079cf73d |
| SHA512 | c9818c9887405eba495f9df8ed2c853a0b65503dfb6a527d44daae74fc90e89f629daa9ebd29d35929b4118df10b8d5b2fec19fc57cf96327d35a2e121b57cbf |
C:\Users\Admin\AppData\Local\Temp\R8tZY8snGbl3.bat
| MD5 | 06c7d1a0501ce421516cee7db0e21848 |
| SHA1 | 05e223ce6a15a7d8ba90cb944c64a2df0a166d48 |
| SHA256 | fb26e7306345f87f5ef32b65558f0e8bf88a2cc4ea978d84a360024de2dbcb5f |
| SHA512 | 0bda0d2856b5929a434c89ad6be8b1cc7682a9d1b06156fff84f26cbda3300235e7d5ca41d128fa63b9acb1e34300428ef757a304b59435b2bdd0f46213d7038 |
C:\Users\Admin\AppData\Local\Temp\jJcuK8sLY2HQ.bat
| MD5 | 47ca068d93f19a24059657dab90b7ea9 |
| SHA1 | df1899263becdecc377c38747793e12aa590d369 |
| SHA256 | 8432c2aa5d085f3e392aace208df244ee7d023b0cfad2428e6b13ab89fb46ad5 |
| SHA512 | 3c0936f0a87ad22dfe7e48d51efecb38dae9823034dbdf9a5dbd160212b80c04955cb05d4bd950fe1bf34699d7144828073fcc2e7fcf9cdf92891ba0624986c6 |
C:\Users\Admin\AppData\Local\Temp\D7Gd0Mm1JUAx.bat
| MD5 | e10d804fba7c4a951086d5ec88e37f12 |
| SHA1 | c09ff3274aec0579132eabf2ba4beba777b774f7 |
| SHA256 | 83a7cb4a425911ee5a958ff669ce8355240ae1dcbafcc399bf31920e4b4e8b65 |
| SHA512 | 6fb4c18faac4f0caff16f5bcbacc1927c7e8d5894e316bf4627a8d7525c4809bbaac4a0d884ec752a40b2b06d37d572dcfe878a9d06d218f84a6a893d5d11063 |
C:\Users\Admin\AppData\Local\Temp\f54mdRJ7DHiv.bat
| MD5 | 64e11a48fedb332a828dabfc6a70df30 |
| SHA1 | ce38f364b6bca79d74e002a02def9456000088a1 |
| SHA256 | b0b755afc034dd33424fd5c37e65d561b764ec46d17c042eac13ea373c6ecf87 |
| SHA512 | 3a3597b00cee290517580a8739b66a1efb45b02efe9ed196dda1b1df6c9b0d4519eae9d004864dfa4fbfd06d771a2798f4e1f3e5bfdfabf84ffcf3328b3f246e |
C:\Users\Admin\AppData\Local\Temp\KOWhqt9EUo4V.bat
| MD5 | 0a6dedfcabb794a2e3c18367fe37f27e |
| SHA1 | 1d0af4482e9dd52b9ba75e8c650f6f1e71c1afb7 |
| SHA256 | 2c2d1196b18bc8f6632c9d84a8afd41c55906bb78741dc4d5a6a035e4b0e8bf0 |
| SHA512 | 57e5cce3775c38216841b09728b53e44aa313bc86b001bea5cd9d2ada8bf7e015ef65818ea867a5bc486ccb6ab95078e485c94d1172696ba36339ec26e4941b7 |
C:\Users\Admin\AppData\Local\Temp\cRQLj3y7txvC.bat
| MD5 | 402b17874ee4e6d5633b945caa1a7578 |
| SHA1 | 57f03126d072d361e5e0bed08ba32cec29692099 |
| SHA256 | 2eb4c59e96a5bca8567af7a2071fc4fcf20e59c9ae425a868e3e550a856c67bf |
| SHA512 | 806012c4352fabfe8d2b14ac3deda18650842b741955c7caa22f70dd2eb7f5eec4f7dcbd45d857e2902e5eb0ff1d6c62c880599ac7dca7f9e5a99e177573f561 |
C:\Users\Admin\AppData\Local\Temp\G0tqoFsdUxFn.bat
| MD5 | 3f02d67f17216e8bc461ebbf5fe92ab1 |
| SHA1 | e5f849e5c223487a64665c0b3eacd6f419d25999 |
| SHA256 | 1482aa81fd394f03b0f8d0dfdeaab1b337ffa9271c2a0112ec7ce80297630273 |
| SHA512 | 777cc29c50cc38e7129f379128343d2185bcfaca809a97d68ac1edf73d9a6853cb0c3965627b5541bd7a4b237b179a01f5895eb571b242366ace255f3d5ffbb9 |
C:\Users\Admin\AppData\Local\Temp\ZZS3DYp0DMv8.bat
| MD5 | 9116f5386ffe46bf566259d968716e17 |
| SHA1 | f335514c887e89fc79cac686936ab63346b499b8 |
| SHA256 | 6dd3f9393bb7a5ce27996d1cc550323bcefc2639687a6cce5480d78768d2ac2a |
| SHA512 | fbdb642e2ec590493a55dc8bb73b1865e3e5406f96639f0ac149e8fdcedd649ff773a459457f2880776cd3f983a228f29956a3e73d21bdfd42d44cb9e79a83ad |
C:\Users\Admin\AppData\Local\Temp\KC0MNA3b7FyV.bat
| MD5 | 42c7afb1a2ecc0840e55a37f194fa4d8 |
| SHA1 | 43a99b787b266a943eadf4065462fda06de96496 |
| SHA256 | fc63d1a87a7214383e367883ea4833f7c02d0d58c30ac82dacca500097c545c7 |
| SHA512 | f954a78806d79d1406f5aa4407fbfa64808fe18df67a909d2549ea0004cb391f7ad5868c13e6c613fedbd4e6bfa55c813cede3286cbc5ae45fd40684e5d187c3 |
C:\Users\Admin\AppData\Local\Temp\rWUMf2QesGEc.bat
| MD5 | 9aa1805e9d75b45073cc4317ef319553 |
| SHA1 | a90a5180440c1c04a82bd67af2db67d9d0cd4374 |
| SHA256 | 69e595b03a313c6d9dbff37de82c69ece7073dd357506632c7c3d837cbbf3b19 |
| SHA512 | 78775542c1e1e023134f332ee6b217477901a2e177303b1c4ac16e0f58411a1c586a091c170444953ba118b2b01a0b4d6d90e82bbe4f9ac77cbca7241ebcc5cc |
C:\Users\Admin\AppData\Local\Temp\6cM2Kk1JMd6n.bat
| MD5 | 983379afa0dd79113b9fac276ad5f12d |
| SHA1 | f4b893c8cc8521faf4ad17f386e6bb5476a5b563 |
| SHA256 | f31f94a1c8ab9ff4d9e54a26a0b127073080ae0849adb9845683ac78a17297f7 |
| SHA512 | 07d2716f73c696481030966b3408ff9c23b9ba7ec9f196301aa092951b7696e6f078df9ee9db447299c82d10b9977f2940296935102a14537da63ca17a823b6d |
C:\Users\Admin\AppData\Local\Temp\BcBduRfB5F3C.bat
| MD5 | 2cee91dd84cc2b5fa9b03fbdf704fdfa |
| SHA1 | 7e70af61e417300b90f43b598db247bffd72538a |
| SHA256 | a37ee2fa99b4eed7633602b54a8b9597321bd342a71f4befb67a16e200545d18 |
| SHA512 | 4601fb2b960ff4516cf9b1fac42953dbee4abbcb1b9d4cd47e0655b3b75f7a0ae04649e461ffc5f5514baec94cd321ee8f76af30b994cbc6001530e1d4e1c591 |
C:\Users\Admin\AppData\Local\Temp\ThJkxFEg4FoF.bat
| MD5 | 62410b43a04d9e63c6c859baba85deb6 |
| SHA1 | a1be67275321a4dd8547af54bf4c135f11d78f25 |
| SHA256 | 425b1b45a17f9db7af8f92d996e440f5beb41692c7163392760b725d84d3edc0 |
| SHA512 | c590c8a89297127e93277a377c2e7bc50839f6b63f531ceb09fb4d2724dd8b793dc8856adf05a194c19bbc1b8311b82d70e359b2b71a01dd2c2ec304c206d8f5 |