Analysis Overview
SHA256
6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf
Threat Level: Known bad
The file 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Quasar family
Checks computer location settings
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-04 01:24
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-04 01:24
Reported
2024-08-04 01:26
Platform
win7-20240708-en
Max time kernel
143s
Max time network
119s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe
"C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\w8lKwKzL6O1o.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\s8cSGWumUXcy.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9a9JatYmIKwD.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\kSp0LcAZqQIi.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ookcGWi0iaCr.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2Gs52dFuOOAc.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\fHUypsR5cZe8.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\T4RnteHx2LUO.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ufVoy4qTmJBg.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6wxKarHO4iDi.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XVn1Wk0PyNtH.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\z0fvVgTurJIq.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MhLSwW5PbTD8.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\XC5vi1IMF8Fy.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\HV4X7nAPaktd.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
Files
memory/2916-0-0x000007FEF5E13000-0x000007FEF5E14000-memory.dmp
memory/2916-1-0x0000000000EF0000-0x0000000001214000-memory.dmp
memory/2916-2-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp
C:\Windows\System32\SubDir\SolaraExecutor.exe
| MD5 | 3cf4f19b7c69135acb3c4c9bb9cdfb90 |
| SHA1 | e2b5a40dd2abfa03671fde7c4e74f9b2846f989f |
| SHA256 | 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf |
| SHA512 | 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd |
memory/2916-7-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp
memory/2744-8-0x0000000000D20000-0x0000000001044000-memory.dmp
memory/2744-10-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp
memory/2744-9-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\w8lKwKzL6O1o.bat
| MD5 | daddb1b98c2aa9bf6535c7cce995eafb |
| SHA1 | 774286ebd53cd08f20e739d16895fe66c76b14ff |
| SHA256 | 7aca139ed0eff45af2911354921132fde1d712363dffe4e7e8f961f056b1b9ee |
| SHA512 | 2c06abecd9afa7e47631b51dc1af960102f2f68d545ad21fff2615d5763d38c9bb1814d83692aa83580342d75915af281d5f2fa0a8c17a273f8b2d326e573d26 |
memory/2744-20-0x000007FEF5E10000-0x000007FEF67FC000-memory.dmp
memory/2200-22-0x0000000000280000-0x00000000005A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\s8cSGWumUXcy.bat
| MD5 | cbbdfa0bb326f7e63a367fe9be7fd888 |
| SHA1 | 2cdcf825e9162be34502052dd37e3c4894a01df6 |
| SHA256 | 32213a5b4f50dbe1e80db42be22d577671826cf47e9ca9ccb1eeb874520c88f1 |
| SHA512 | 29d7b3b7d474cc779fa4d67c47f043873c14812a5d12494960f292c26938d5bb8831fbba79f85ef1763b229f4ac5f4733dea5e7cb4857ecbf72838acb72daf77 |
memory/2624-33-0x0000000000030000-0x0000000000354000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9a9JatYmIKwD.bat
| MD5 | b40ecb22a2201a9d4d8d8681007cf62e |
| SHA1 | c19a9da42637d979e1e0024fbaa41ab9f99cc25d |
| SHA256 | 8cbe2131f43905764537dee5f4c00bf766ed73739d9a014c0bd347cebfb2874c |
| SHA512 | ba3ca397e2ee4de281559a89d68cdc7ddd8252225faa3a06fdc9134fdd9e07da7e76eacdf6d0a46b210f51d100061145849010ab5177135047d68c8ed2e2f7a9 |
memory/2168-44-0x0000000001040000-0x0000000001364000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\kSp0LcAZqQIi.bat
| MD5 | 6bedd3c7e9b0fb40977706b879ebb724 |
| SHA1 | ce075859e40ce7acd338a57f6d35bf739f455e8d |
| SHA256 | 13ca9f2cd94459756d71985964146fa82e546081c39ed276af3d03e717565cb0 |
| SHA512 | 1dd682d606feb7353fc71b8b359a303550c6c89a20ac8035e7e715d386e8400380f7c37555074e1e31d7b8f9c4cbfab488545df0b30d2f522ec5afd20c971bae |
memory/1248-56-0x0000000000120000-0x0000000000444000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ookcGWi0iaCr.bat
| MD5 | 934d079a2a60a12fca0f174ce4e6d8ef |
| SHA1 | 76d9f8ff0397cbd956b3326dbb1caee5517093b8 |
| SHA256 | 231e4645511ebc84e49a1658c129b5eccaac9bace556231d79176e74a937bfce |
| SHA512 | 4f7c846887eb7960dead87fcbb4323be89ecac59baa8957fc3c9f9f0301f0489f8e8e95b0039a93d037564afe233f8698e067ca785f776f9c020223d8cb452ac |
memory/1444-67-0x00000000010F0000-0x0000000001414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2Gs52dFuOOAc.bat
| MD5 | de8778ddb3c735833bb8129de217f702 |
| SHA1 | 85676f9bb246429bb6557c31cdb1f179a8dbab21 |
| SHA256 | f73c21b4ea8fd4885cc387a5b32a8f6f0103478cd5c52fdecd03390b7006d3d0 |
| SHA512 | 8e9f18c5d5d995ede538aa71c10aadce16784d48597b571f44607e63a3ccbe2f16008bddb2f6d8f2f8b23d460a6e789cd5f60b71df178dcccdbec38dfdd8bd92 |
C:\Users\Admin\AppData\Local\Temp\fHUypsR5cZe8.bat
| MD5 | f0ee2b391eae0e0620f7a0f2dbedddce |
| SHA1 | d4a40d655b5fa9f80a61dd09f9d99c39c1ab5785 |
| SHA256 | 394d8fad0a6ac74e8cf73cea2f667910fb654a9996c80ad729560b22839c93f0 |
| SHA512 | 73484ea613cf8cd9787a018aa6173565075ca0bc16d7ba56ed1448a4df27aee297fdf57bd5f9b7fd8c1ceb85ecf3e15043f54620969abc5646096f82aa906795 |
memory/340-91-0x00000000011B0000-0x00000000014D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\T4RnteHx2LUO.bat
| MD5 | c85d83fa92faf8eb694431434d33f8d4 |
| SHA1 | 15743690e3fdf143e33a2afc5aa20ea5aee13d92 |
| SHA256 | f5ff779bd4eb9fe6b6313fa68d8b034e53f075231409541122d765548612c221 |
| SHA512 | 8c56b9b51cabacaad6e340b1e4e7f53562c84054fd444927e88856e61b7c7f243e85d75256d2f7bd43eb79c67a07b460fcbaebd29a6b7d0a8762f6f7ae6eeead |
C:\Users\Admin\AppData\Local\Temp\ufVoy4qTmJBg.bat
| MD5 | e82c82d014db1cae3e5ea8e8883038f5 |
| SHA1 | ff72b1f95932c4bebaef8b58ec28d3172fe2d3db |
| SHA256 | 21a7d1afc096d20036554e927a653822d6fd6d4e12db6260ff7e0a8465eaa11a |
| SHA512 | 963b69c5c0737f7ed6e935eed596e80005f45ce3eca37890b6ae7981b9b8e44b05c2016c6a5988ba790ce709cfeb2e5c95123fc77b1d3e27ed7f1df0c6a91845 |
C:\Users\Admin\AppData\Local\Temp\6wxKarHO4iDi.bat
| MD5 | 007aece500a3802fa3461e0a7d217e49 |
| SHA1 | d6d96d15679932570ee589607807e7b7c86a9138 |
| SHA256 | f6034f9dd5b936c9c62a66073ed0bcb9394bae3dd9f0b0eed64f5e3e42f6e9cb |
| SHA512 | 4c69f1b067db5b7048e3b6e63997218834b9df722b42de925b6be6c53753721f793346779aa32076ad00b31374d2f8d51d8008f9bd81766c86418ab905fa0b32 |
C:\Users\Admin\AppData\Local\Temp\XVn1Wk0PyNtH.bat
| MD5 | cb8edf2378050ab1cc2dd5fbe014e9f3 |
| SHA1 | b65c3e91bb146ea69e25dcdae3ff42958bf4b0be |
| SHA256 | c3bea631b92b3854ec53850d77964af26befaa6839f71221f7ecbeab0c357b06 |
| SHA512 | fb88c19b06b180799e990e3b862a7601b9cc2c8aa142b76a369b8ab2f101f597b28c1956d68ffad21ea9dc5b8c4ad6614ce235c6cc04169e8435e4dc2b8c305f |
memory/1632-134-0x00000000000A0000-0x00000000003C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\z0fvVgTurJIq.bat
| MD5 | 8665de82fa2addcebe13a8cf19f4bd6d |
| SHA1 | 14d247f8486d45925fabc9d83e1f7aec49905ea2 |
| SHA256 | d2e063ec33888db0afb1e5fa2b05e18592e47a8958bdfeeed9cff3304c17305f |
| SHA512 | 4c30a1f4c701e2f1c94feabbf73d6854c316e6c7f3dc19f06c55c93226af7e3bceb8175f1a10284d2cc763e6495cac5cbb2e6e77a14114595119d63b5752939d |
memory/2064-146-0x0000000001220000-0x0000000001544000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MhLSwW5PbTD8.bat
| MD5 | a2a8dfbfe593f8740fbbaa5a7b4f3993 |
| SHA1 | a69675e7f25a416ec7cb28ff8b6e8491b60575ca |
| SHA256 | 348b52fdd349748c3ac31832dfe0d446dbba1e8f585b759096b32abbe076db03 |
| SHA512 | 8b851a1f367d93bb386f3d7c861fa26396e2fd9664d55211556374cb1f7d34064f94d56e9b0815c9f577771c40ad6d8c10c5ba1f179192ca7168042f8d3bf06c |
C:\Users\Admin\AppData\Local\Temp\XC5vi1IMF8Fy.bat
| MD5 | 5f68362e375bd080ea500a5cdfb1699b |
| SHA1 | f68650ea2a35e53cff02d544315f9c6f2af6b849 |
| SHA256 | 443db0cd5795d9ac2e553499003ae813961cc57ab4e22ee6ea41d0345d17b20c |
| SHA512 | f5f585560e0e34020cd9ce4fb0628c918389bb54461b3599b57801b95e077072d5bc05f831c328017e3f84b7a365a7c64730661f9e8ba6ab0b143e7dc4fc0ff6 |
C:\Users\Admin\AppData\Local\Temp\HV4X7nAPaktd.bat
| MD5 | 2b0ea848d60689f71e36de6acb56c4e9 |
| SHA1 | ba83f8f1ea87add2b1f47cd5fb3332a6e73c9b52 |
| SHA256 | dd252e892706c39dd87ada2598677e7078e6b45ebf41ddf3c5a0a27532d1cce0 |
| SHA512 | 5d104c428d428375361204c2cfde6409eeb908dbfc83afb06a6f121d5bfe231a4f8eafd92066180947ab943595e953923822f3e1422dac45eb89d5d51d2806c0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-04 01:24
Reported
2024-08-04 01:26
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe
"C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEiMixRgKeO7.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XpLHk3Hs7XBf.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hCHBOAdpeJ8p.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hkOzK3FNaL4n.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iSM2RpwG6zqP.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kthY9GZZm3ST.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k0aumOzGJsyg.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZItkk5tp8pos.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rd9vnoVRQ0f3.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JPyMkjlwUBG2.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uv5BxCS2lg1P.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\11nIkY2H48r8.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VLKi7rizViNE.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vzfUcSVf3UPK.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D6Nkl14ERROP.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
Files
memory/688-0-0x00007FF8B9073000-0x00007FF8B9075000-memory.dmp
memory/688-1-0x0000000000D80000-0x00000000010A4000-memory.dmp
memory/688-2-0x00007FF8B9070000-0x00007FF8B9B31000-memory.dmp
C:\Windows\System32\SubDir\SolaraExecutor.exe
| MD5 | 3cf4f19b7c69135acb3c4c9bb9cdfb90 |
| SHA1 | e2b5a40dd2abfa03671fde7c4e74f9b2846f989f |
| SHA256 | 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf |
| SHA512 | 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd |
memory/688-8-0x00007FF8B9070000-0x00007FF8B9B31000-memory.dmp
memory/4540-9-0x00007FF8B9070000-0x00007FF8B9B31000-memory.dmp
memory/4540-10-0x00007FF8B9070000-0x00007FF8B9B31000-memory.dmp
memory/4540-11-0x000000001DF30000-0x000000001DF80000-memory.dmp
memory/4540-12-0x000000001E040000-0x000000001E0F2000-memory.dmp
memory/4540-17-0x00007FF8B9070000-0x00007FF8B9B31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XEiMixRgKeO7.bat
| MD5 | 6bf0858535d56f2819a0f44ee05230bb |
| SHA1 | 8fea9629e64221743d4a2f2c7bc6de37e212a991 |
| SHA256 | db5392aebdae516481aef0772119dd53449c3d25c88aa2c7d16416bb7b475067 |
| SHA512 | b386b2e6e793431e2e98963c9b93800d780f4775ef2b3ba224fa3a48656ef5824a65a94f7b12c311a97c36c1f45f04555ab1e4c150037d533322640154d65240 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraExecutor.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
C:\Users\Admin\AppData\Local\Temp\XpLHk3Hs7XBf.bat
| MD5 | 3b71f11952579b56a9f26b1f827a8e66 |
| SHA1 | b70617f3452056cc67d17f1225ed286d5f84d1f0 |
| SHA256 | 7dd256daac279e02bb906b5c21536244df1a4cbf162d2c9e61c089634c36a998 |
| SHA512 | 3a49ddc591b93e5196790c24e51b0abfc9b1ccf4b705222d722c95eebf9bc9448a9939e2025cecf5da76dd72dd9173c66c22c7dfa6cdfada433ab716de17ec74 |
C:\Users\Admin\AppData\Local\Temp\hCHBOAdpeJ8p.bat
| MD5 | c0d2a4ea1af7ce956918fc60c16f21e5 |
| SHA1 | e4cf43c0dd7b38cacb882b1b5af58df19db03659 |
| SHA256 | 0501af29d41773ca7e40989086b119645929637657fcb215ba2e1b3e441716f6 |
| SHA512 | 115eb761f632b2e7ecf9047f53006ed04c1c6a0cedbc066f4f2665f95899521764454657fd2f86cecbe57b431859b86a8fe6e80794f4377f57fa6462a40d2bb8 |
C:\Users\Admin\AppData\Local\Temp\hkOzK3FNaL4n.bat
| MD5 | b20d6c9ba0f8515fd11a40e7934d6c71 |
| SHA1 | b234088f05a36df05533ab6c7118e64cf97a27e4 |
| SHA256 | f914611f571d63b90d8f01089c423a2ef9a6428d3f8007ca4f035ba15326f2ff |
| SHA512 | 7c356438dd1088d9424f33bd1ab1908a0feeddc970439f081ca78e7700e99f2fe324639bf2478d954efd95e9f602fa618d1c4b4962827ac74c3da42db9f1417e |
C:\Users\Admin\AppData\Local\Temp\iSM2RpwG6zqP.bat
| MD5 | 4b59ab7474b334e9b5aed7ccc8657f17 |
| SHA1 | d4250e7e09908130b974917623628175d20584a4 |
| SHA256 | c576f58864fa1370391c7f6ec9f5df81f370c0b6258f00f942ebca051ba5ccb3 |
| SHA512 | 4e5198f98c4c1f21939e29b71402762bdd105e8e765ac76f9e2a7f1303580f4cca4714cc9b8ea1e7a0c1f85e4b14032528d68ecc04a5f6148605d1d3568e9a82 |
C:\Users\Admin\AppData\Local\Temp\kthY9GZZm3ST.bat
| MD5 | 846752e5aed00b8b9c78bb32f8f3147d |
| SHA1 | 567c6f30bbe5ea74e349d025fabe35c128d73a88 |
| SHA256 | 2fc56b3b0d23a18fbf4726aa4098ead2a8115f720e54dc52bc5ae4cfe334be85 |
| SHA512 | d9b32fd7184d869429f7b23567b8676e100c14ec4b5ef6f1f61bf1b5824da202730cdaf70fd8bb7210223f82d77b8aaa7e962b939b6074b612e9214f195895af |
C:\Users\Admin\AppData\Local\Temp\k0aumOzGJsyg.bat
| MD5 | cde1253873cf461daf76480611ea07a7 |
| SHA1 | e31aee396d57b6311b81eff7b6b498f91f63da84 |
| SHA256 | d2e6d64720b9045858f090a21f984aad25baefc06a4ed1677224f02fd9deb1b5 |
| SHA512 | 9e22650adc068cf092ed949680391578243274815e8f192b80cb05a46f0cb18b82526b574fd7ced9b0ff186f8c1dbb205de46245a73e9f60e49d8e7d52a2f809 |
C:\Users\Admin\AppData\Local\Temp\ZItkk5tp8pos.bat
| MD5 | de9d9500f42a85e22f61f9c07afc9832 |
| SHA1 | a00e0fd17b5e3cc5e40774846c2eee6e221998c3 |
| SHA256 | b1e26154369bcd2d7c2ffba531df1fec9b9b6441c2b2b14eff84bcb4da067ce1 |
| SHA512 | 2f826500fd10a4c57118f95eb2e62c0707aac80609dd4b7c471d827d860275dc80627fb701d524dc48aba07fc3939914e0d3281894f0df3315fb80b08f4680c4 |
C:\Users\Admin\AppData\Local\Temp\Rd9vnoVRQ0f3.bat
| MD5 | f0a09af6ca076e5e37836617792cc796 |
| SHA1 | eafe86de9e2be233fd453f8b888ea148a306ec13 |
| SHA256 | 496e5f2f4b7d6b452be18caefc7e13c25884329187dfe3046b3773c32eb02c22 |
| SHA512 | 3a242f27a94f6a66065ed5819be3efa32f95c55c531c142f4ad758d54cde000035de3536b525032a7beece69bb40a599df5d966d5dbb204de67c1d4f44e1de77 |
C:\Users\Admin\AppData\Local\Temp\JPyMkjlwUBG2.bat
| MD5 | 5bcb25f5bede1e6184ad61d0830f68b6 |
| SHA1 | 3c4631c4b676fdefcb65fbda105c746e2da9d582 |
| SHA256 | 19218a4ea6235183801c0dacefc484d05f1ab28bd83d6cf92e87fe1874b1bb73 |
| SHA512 | 844820830fbaca4a285e796f36157f4530d8ed1d70e21a301a1d39ef706eb946e8c6558c1048542f79b51e4df6b25a9df9c74cac7cf9d3a6d228619d25d33d9a |
C:\Users\Admin\AppData\Local\Temp\Uv5BxCS2lg1P.bat
| MD5 | e20ebba8fd437d264f67f69c6e9848fd |
| SHA1 | 3fafec2ce87b05f07081264b55c0856247184104 |
| SHA256 | d24ccdaf66395e37c21df5760c0a0c676e43da2750e6cb3fb857a10955007b62 |
| SHA512 | 90e7bfab85dff2899f29a7c5ca1706f282538fb3ac0d6af27e69b25f020ec540391619cb3d63de2433fc6b0c3b96a0af6778d624a2f0d6f0bff2746e7d222577 |
C:\Users\Admin\AppData\Local\Temp\11nIkY2H48r8.bat
| MD5 | 4be3c3830fafdd9e59739a963f01e732 |
| SHA1 | 2ebb309fba805acffc04c39e3348f86357d73197 |
| SHA256 | 014b3a0e614cb8f84e7c10694d5ffd34f1c6fbac48e3a0f62cd62bfe334c1d5b |
| SHA512 | aa1179d5d1935cfd41d6b8c6cbbaf5079d3dacb86316f88c1ef20e2092d265396ae5060f46f95b68813b10fe2757c25975227a0c38e3d5a0b240bd2e04a2c8f9 |
C:\Users\Admin\AppData\Local\Temp\VLKi7rizViNE.bat
| MD5 | dff6999fdddb4a56a64d75018d53ce16 |
| SHA1 | 41f00a0119ed620c7194ebc697f744b2b7524c7b |
| SHA256 | 66659e7e9ee01488e5b021fdb5aad2f4478a4dee1fc26816d93c8d0ad557d279 |
| SHA512 | ff50a577cf3744ded1b43f6d9792cfec7dde9da2ff2b4e231d36f42c603ba9c378bdd25a0c661147ce1749602054ba20d29c81e1a339592d155b7414e10abc11 |
C:\Users\Admin\AppData\Local\Temp\vzfUcSVf3UPK.bat
| MD5 | 57a4750864386885c761299f305886be |
| SHA1 | 41bf58dcbfe011b3ba9952bee5ee0980c4e2d7f0 |
| SHA256 | 20596e82147ba33182ae5f0b3d461e4236c103fc7bd99fc21db3760d4b15d247 |
| SHA512 | 0c35fce3f7e6e96e416da3f555b62c354493d03efc7b196b8e4572855aab8a52e66a6b492b214a2ac5e4f6a8c8b09c3d67b2391fec98f0116dfcec030aee6443 |
C:\Users\Admin\AppData\Local\Temp\D6Nkl14ERROP.bat
| MD5 | 859d1460ab539a4b17cd9a26980b1d1f |
| SHA1 | 7ea6cd43a918bc0fb8cf4d951cde704d7e4791ab |
| SHA256 | 36a3c002c15862618e614f56c3e8c6981197ff2b28cc2314378b1f38b9fe0805 |
| SHA512 | edb7b2bf4df03237d308a70fe3f1be02c6c3f364286ba3e6a6262f529095dfd0adeb820c5ecf337be7b9a715a8ded4839b9d02a10a07293e22463c349727ad99 |