Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-08-2024 01:24

General

  • Target

    6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe

  • Size

    3.1MB

  • MD5

    3cf4f19b7c69135acb3c4c9bb9cdfb90

  • SHA1

    e2b5a40dd2abfa03671fde7c4e74f9b2846f989f

  • SHA256

    6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf

  • SHA512

    4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

  • SSDEEP

    49152:DvehBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaxAtueYFoGdXTHHB72eh2NT:DvAt2d5aKCuVPzlEmVQ0wvwf+tuee

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

nohchy-47404.portmap.host:47404

Mutex

1a1e174b-dbf8-49ad-9b43-2cfbb233a6d9

Attributes
  • encryption_key

    795CDD46D2CDD422BE523F263B64E03D8B6AAD42

  • install_name

    SolaraExecutor.exe

  • log_directory

    Logs

  • reconnect_delay

    2000

  • startup_key

    RtkAudUService64

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe
    "C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:688
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1984
    • C:\Windows\system32\SubDir\SolaraExecutor.exe
      "C:\Windows\system32\SubDir\SolaraExecutor.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4540
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2572
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEiMixRgKeO7.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4764
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:4760
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1764
          • C:\Windows\system32\SubDir\SolaraExecutor.exe
            "C:\Windows\system32\SubDir\SolaraExecutor.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1260
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4608
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XpLHk3Hs7XBf.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2836
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:492
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:3460
                • C:\Windows\system32\SubDir\SolaraExecutor.exe
                  "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:2724
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:3948
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCHBOAdpeJ8p.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:572
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:2844
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:2092
                      • C:\Windows\system32\SubDir\SolaraExecutor.exe
                        "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:3876
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:2264
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkOzK3FNaL4n.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3892
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:4012
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:3768
                            • C:\Windows\system32\SubDir\SolaraExecutor.exe
                              "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of WriteProcessMemory
                              PID:496
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:4416
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSM2RpwG6zqP.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2236
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:1204
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:2716
                                  • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                    "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of WriteProcessMemory
                                    PID:4144
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:4816
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kthY9GZZm3ST.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:3900
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:4964
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:2296
                                        • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                          "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          PID:2708
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:4608
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k0aumOzGJsyg.bat" "
                                            15⤵
                                              PID:2676
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:3800
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:4860
                                                • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                  "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  PID:3440
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1752
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZItkk5tp8pos.bat" "
                                                    17⤵
                                                      PID:4836
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:2780
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:4472
                                                        • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                          "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of FindShellTrayWindow
                                                          • Suspicious use of SendNotifyMessage
                                                          PID:1988
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:660
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rd9vnoVRQ0f3.bat" "
                                                            19⤵
                                                              PID:2276
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:3952
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:1936
                                                                • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                  "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of SendNotifyMessage
                                                                  PID:3696
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:1776
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JPyMkjlwUBG2.bat" "
                                                                    21⤵
                                                                      PID:3984
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:3564
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:828
                                                                        • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                          "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • Suspicious use of FindShellTrayWindow
                                                                          • Suspicious use of SendNotifyMessage
                                                                          PID:2052
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:4028
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uv5BxCS2lg1P.bat" "
                                                                            23⤵
                                                                              PID:4876
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:3512
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:4396
                                                                                • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                  "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  PID:1872
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:876
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11nIkY2H48r8.bat" "
                                                                                    25⤵
                                                                                      PID:2680
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:780
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:1300
                                                                                        • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                          "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                          • Suspicious use of SendNotifyMessage
                                                                                          PID:5036
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:1420
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VLKi7rizViNE.bat" "
                                                                                            27⤵
                                                                                              PID:4116
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:3572
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:1560
                                                                                                • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                                  "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                  PID:3400
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:4380
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vzfUcSVf3UPK.bat" "
                                                                                                    29⤵
                                                                                                      PID:4532
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:2104
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:3088
                                                                                                        • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                                          "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                          PID:4904
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:2444
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D6Nkl14ERROP.bat" "
                                                                                                            31⤵
                                                                                                              PID:3728
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                32⤵
                                                                                                                  PID:1524
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  32⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:4152

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraExecutor.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    8f0271a63446aef01cf2bfc7b7c7976b

                                                    SHA1

                                                    b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                    SHA256

                                                    da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                    SHA512

                                                    78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                  • C:\Users\Admin\AppData\Local\Temp\11nIkY2H48r8.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    4be3c3830fafdd9e59739a963f01e732

                                                    SHA1

                                                    2ebb309fba805acffc04c39e3348f86357d73197

                                                    SHA256

                                                    014b3a0e614cb8f84e7c10694d5ffd34f1c6fbac48e3a0f62cd62bfe334c1d5b

                                                    SHA512

                                                    aa1179d5d1935cfd41d6b8c6cbbaf5079d3dacb86316f88c1ef20e2092d265396ae5060f46f95b68813b10fe2757c25975227a0c38e3d5a0b240bd2e04a2c8f9

                                                  • C:\Users\Admin\AppData\Local\Temp\D6Nkl14ERROP.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    859d1460ab539a4b17cd9a26980b1d1f

                                                    SHA1

                                                    7ea6cd43a918bc0fb8cf4d951cde704d7e4791ab

                                                    SHA256

                                                    36a3c002c15862618e614f56c3e8c6981197ff2b28cc2314378b1f38b9fe0805

                                                    SHA512

                                                    edb7b2bf4df03237d308a70fe3f1be02c6c3f364286ba3e6a6262f529095dfd0adeb820c5ecf337be7b9a715a8ded4839b9d02a10a07293e22463c349727ad99

                                                  • C:\Users\Admin\AppData\Local\Temp\JPyMkjlwUBG2.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    5bcb25f5bede1e6184ad61d0830f68b6

                                                    SHA1

                                                    3c4631c4b676fdefcb65fbda105c746e2da9d582

                                                    SHA256

                                                    19218a4ea6235183801c0dacefc484d05f1ab28bd83d6cf92e87fe1874b1bb73

                                                    SHA512

                                                    844820830fbaca4a285e796f36157f4530d8ed1d70e21a301a1d39ef706eb946e8c6558c1048542f79b51e4df6b25a9df9c74cac7cf9d3a6d228619d25d33d9a

                                                  • C:\Users\Admin\AppData\Local\Temp\Rd9vnoVRQ0f3.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    f0a09af6ca076e5e37836617792cc796

                                                    SHA1

                                                    eafe86de9e2be233fd453f8b888ea148a306ec13

                                                    SHA256

                                                    496e5f2f4b7d6b452be18caefc7e13c25884329187dfe3046b3773c32eb02c22

                                                    SHA512

                                                    3a242f27a94f6a66065ed5819be3efa32f95c55c531c142f4ad758d54cde000035de3536b525032a7beece69bb40a599df5d966d5dbb204de67c1d4f44e1de77

                                                  • C:\Users\Admin\AppData\Local\Temp\Uv5BxCS2lg1P.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    e20ebba8fd437d264f67f69c6e9848fd

                                                    SHA1

                                                    3fafec2ce87b05f07081264b55c0856247184104

                                                    SHA256

                                                    d24ccdaf66395e37c21df5760c0a0c676e43da2750e6cb3fb857a10955007b62

                                                    SHA512

                                                    90e7bfab85dff2899f29a7c5ca1706f282538fb3ac0d6af27e69b25f020ec540391619cb3d63de2433fc6b0c3b96a0af6778d624a2f0d6f0bff2746e7d222577

                                                  • C:\Users\Admin\AppData\Local\Temp\VLKi7rizViNE.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    dff6999fdddb4a56a64d75018d53ce16

                                                    SHA1

                                                    41f00a0119ed620c7194ebc697f744b2b7524c7b

                                                    SHA256

                                                    66659e7e9ee01488e5b021fdb5aad2f4478a4dee1fc26816d93c8d0ad557d279

                                                    SHA512

                                                    ff50a577cf3744ded1b43f6d9792cfec7dde9da2ff2b4e231d36f42c603ba9c378bdd25a0c661147ce1749602054ba20d29c81e1a339592d155b7414e10abc11

                                                  • C:\Users\Admin\AppData\Local\Temp\XEiMixRgKeO7.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    6bf0858535d56f2819a0f44ee05230bb

                                                    SHA1

                                                    8fea9629e64221743d4a2f2c7bc6de37e212a991

                                                    SHA256

                                                    db5392aebdae516481aef0772119dd53449c3d25c88aa2c7d16416bb7b475067

                                                    SHA512

                                                    b386b2e6e793431e2e98963c9b93800d780f4775ef2b3ba224fa3a48656ef5824a65a94f7b12c311a97c36c1f45f04555ab1e4c150037d533322640154d65240

                                                  • C:\Users\Admin\AppData\Local\Temp\XpLHk3Hs7XBf.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    3b71f11952579b56a9f26b1f827a8e66

                                                    SHA1

                                                    b70617f3452056cc67d17f1225ed286d5f84d1f0

                                                    SHA256

                                                    7dd256daac279e02bb906b5c21536244df1a4cbf162d2c9e61c089634c36a998

                                                    SHA512

                                                    3a49ddc591b93e5196790c24e51b0abfc9b1ccf4b705222d722c95eebf9bc9448a9939e2025cecf5da76dd72dd9173c66c22c7dfa6cdfada433ab716de17ec74

                                                  • C:\Users\Admin\AppData\Local\Temp\ZItkk5tp8pos.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    de9d9500f42a85e22f61f9c07afc9832

                                                    SHA1

                                                    a00e0fd17b5e3cc5e40774846c2eee6e221998c3

                                                    SHA256

                                                    b1e26154369bcd2d7c2ffba531df1fec9b9b6441c2b2b14eff84bcb4da067ce1

                                                    SHA512

                                                    2f826500fd10a4c57118f95eb2e62c0707aac80609dd4b7c471d827d860275dc80627fb701d524dc48aba07fc3939914e0d3281894f0df3315fb80b08f4680c4

                                                  • C:\Users\Admin\AppData\Local\Temp\hCHBOAdpeJ8p.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    c0d2a4ea1af7ce956918fc60c16f21e5

                                                    SHA1

                                                    e4cf43c0dd7b38cacb882b1b5af58df19db03659

                                                    SHA256

                                                    0501af29d41773ca7e40989086b119645929637657fcb215ba2e1b3e441716f6

                                                    SHA512

                                                    115eb761f632b2e7ecf9047f53006ed04c1c6a0cedbc066f4f2665f95899521764454657fd2f86cecbe57b431859b86a8fe6e80794f4377f57fa6462a40d2bb8

                                                  • C:\Users\Admin\AppData\Local\Temp\hkOzK3FNaL4n.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    b20d6c9ba0f8515fd11a40e7934d6c71

                                                    SHA1

                                                    b234088f05a36df05533ab6c7118e64cf97a27e4

                                                    SHA256

                                                    f914611f571d63b90d8f01089c423a2ef9a6428d3f8007ca4f035ba15326f2ff

                                                    SHA512

                                                    7c356438dd1088d9424f33bd1ab1908a0feeddc970439f081ca78e7700e99f2fe324639bf2478d954efd95e9f602fa618d1c4b4962827ac74c3da42db9f1417e

                                                  • C:\Users\Admin\AppData\Local\Temp\iSM2RpwG6zqP.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    4b59ab7474b334e9b5aed7ccc8657f17

                                                    SHA1

                                                    d4250e7e09908130b974917623628175d20584a4

                                                    SHA256

                                                    c576f58864fa1370391c7f6ec9f5df81f370c0b6258f00f942ebca051ba5ccb3

                                                    SHA512

                                                    4e5198f98c4c1f21939e29b71402762bdd105e8e765ac76f9e2a7f1303580f4cca4714cc9b8ea1e7a0c1f85e4b14032528d68ecc04a5f6148605d1d3568e9a82

                                                  • C:\Users\Admin\AppData\Local\Temp\k0aumOzGJsyg.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    cde1253873cf461daf76480611ea07a7

                                                    SHA1

                                                    e31aee396d57b6311b81eff7b6b498f91f63da84

                                                    SHA256

                                                    d2e6d64720b9045858f090a21f984aad25baefc06a4ed1677224f02fd9deb1b5

                                                    SHA512

                                                    9e22650adc068cf092ed949680391578243274815e8f192b80cb05a46f0cb18b82526b574fd7ced9b0ff186f8c1dbb205de46245a73e9f60e49d8e7d52a2f809

                                                  • C:\Users\Admin\AppData\Local\Temp\kthY9GZZm3ST.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    846752e5aed00b8b9c78bb32f8f3147d

                                                    SHA1

                                                    567c6f30bbe5ea74e349d025fabe35c128d73a88

                                                    SHA256

                                                    2fc56b3b0d23a18fbf4726aa4098ead2a8115f720e54dc52bc5ae4cfe334be85

                                                    SHA512

                                                    d9b32fd7184d869429f7b23567b8676e100c14ec4b5ef6f1f61bf1b5824da202730cdaf70fd8bb7210223f82d77b8aaa7e962b939b6074b612e9214f195895af

                                                  • C:\Users\Admin\AppData\Local\Temp\vzfUcSVf3UPK.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    57a4750864386885c761299f305886be

                                                    SHA1

                                                    41bf58dcbfe011b3ba9952bee5ee0980c4e2d7f0

                                                    SHA256

                                                    20596e82147ba33182ae5f0b3d461e4236c103fc7bd99fc21db3760d4b15d247

                                                    SHA512

                                                    0c35fce3f7e6e96e416da3f555b62c354493d03efc7b196b8e4572855aab8a52e66a6b492b214a2ac5e4f6a8c8b09c3d67b2391fec98f0116dfcec030aee6443

                                                  • C:\Windows\System32\SubDir\SolaraExecutor.exe

                                                    Filesize

                                                    3.1MB

                                                    MD5

                                                    3cf4f19b7c69135acb3c4c9bb9cdfb90

                                                    SHA1

                                                    e2b5a40dd2abfa03671fde7c4e74f9b2846f989f

                                                    SHA256

                                                    6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf

                                                    SHA512

                                                    4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

                                                  • memory/688-0-0x00007FF8B9073000-0x00007FF8B9075000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/688-8-0x00007FF8B9070000-0x00007FF8B9B31000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/688-2-0x00007FF8B9070000-0x00007FF8B9B31000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/688-1-0x0000000000D80000-0x00000000010A4000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                  • memory/4540-11-0x000000001DF30000-0x000000001DF80000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/4540-10-0x00007FF8B9070000-0x00007FF8B9B31000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4540-9-0x00007FF8B9070000-0x00007FF8B9B31000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4540-17-0x00007FF8B9070000-0x00007FF8B9B31000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4540-12-0x000000001E040000-0x000000001E0F2000-memory.dmp

                                                    Filesize

                                                    712KB