Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2024 01:22

General

  • Target

    6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe

  • Size

    3.1MB

  • MD5

    3cf4f19b7c69135acb3c4c9bb9cdfb90

  • SHA1

    e2b5a40dd2abfa03671fde7c4e74f9b2846f989f

  • SHA256

    6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf

  • SHA512

    4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

  • SSDEEP

    49152:DvehBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaxAtueYFoGdXTHHB72eh2NT:DvAt2d5aKCuVPzlEmVQ0wvwf+tuee

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

nohchy-47404.portmap.host:47404

Mutex

1a1e174b-dbf8-49ad-9b43-2cfbb233a6d9

Attributes
  • encryption_key

    795CDD46D2CDD422BE523F263B64E03D8B6AAD42

  • install_name

    SolaraExecutor.exe

  • log_directory

    Logs

  • reconnect_delay

    2000

  • startup_key

    RtkAudUService64

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 15 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 15 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 15 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe
    "C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:5036
    • C:\Windows\system32\SubDir\SolaraExecutor.exe
      "C:\Windows\system32\SubDir\SolaraExecutor.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2784
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W7lUz8pWMPpn.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4572
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2216
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2224
          • C:\Windows\system32\SubDir\SolaraExecutor.exe
            "C:\Windows\system32\SubDir\SolaraExecutor.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4524
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1520
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\16ZVFvTZz0CJ.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1008
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:3736
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4736
                • C:\Windows\system32\SubDir\SolaraExecutor.exe
                  "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:4272
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:4868
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iPU1zKcBXY2l.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4644
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:1272
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:2188
                      • C:\Windows\system32\SubDir\SolaraExecutor.exe
                        "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:2652
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:4500
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tfD9octdj03C.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4756
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:1876
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:2376
                            • C:\Windows\system32\SubDir\SolaraExecutor.exe
                              "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                              10⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of WriteProcessMemory
                              PID:2472
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:2388
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCudxH9lkNFr.bat" "
                                11⤵
                                • Suspicious use of WriteProcessMemory
                                PID:5088
                                • C:\Windows\system32\chcp.com
                                  chcp 65001
                                  12⤵
                                    PID:3244
                                  • C:\Windows\system32\PING.EXE
                                    ping -n 10 localhost
                                    12⤵
                                    • System Network Configuration Discovery: Internet Connection Discovery
                                    • Runs ping.exe
                                    PID:3328
                                  • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                    "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                    12⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of WriteProcessMemory
                                    PID:2364
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                      13⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:468
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeFbEV00Wwzy.bat" "
                                      13⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:3316
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        14⤵
                                          PID:4636
                                        • C:\Windows\system32\PING.EXE
                                          ping -n 10 localhost
                                          14⤵
                                          • System Network Configuration Discovery: Internet Connection Discovery
                                          • Runs ping.exe
                                          PID:3652
                                        • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                          "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                          14⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          PID:3984
                                          • C:\Windows\SYSTEM32\schtasks.exe
                                            "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                            15⤵
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3884
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fytIjLcgCjOP.bat" "
                                            15⤵
                                              PID:3412
                                              • C:\Windows\system32\chcp.com
                                                chcp 65001
                                                16⤵
                                                  PID:2100
                                                • C:\Windows\system32\PING.EXE
                                                  ping -n 10 localhost
                                                  16⤵
                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                  • Runs ping.exe
                                                  PID:3680
                                                • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                  "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                  16⤵
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of FindShellTrayWindow
                                                  • Suspicious use of SendNotifyMessage
                                                  PID:4496
                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                    "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                    17⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:4392
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2EPZmyYmsYuF.bat" "
                                                    17⤵
                                                      PID:748
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        18⤵
                                                          PID:4176
                                                        • C:\Windows\system32\PING.EXE
                                                          ping -n 10 localhost
                                                          18⤵
                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                          • Runs ping.exe
                                                          PID:220
                                                        • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                          "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                          18⤵
                                                          • Checks computer location settings
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of FindShellTrayWindow
                                                          • Suspicious use of SendNotifyMessage
                                                          PID:3528
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                            19⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3756
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wC8XrhgPClRM.bat" "
                                                            19⤵
                                                              PID:2952
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                20⤵
                                                                  PID:564
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  20⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:568
                                                                • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                  "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                  20⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of SendNotifyMessage
                                                                  PID:4044
                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                    "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                    21⤵
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4656
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\26O8SILkCMi4.bat" "
                                                                    21⤵
                                                                      PID:4848
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        22⤵
                                                                          PID:5096
                                                                        • C:\Windows\system32\PING.EXE
                                                                          ping -n 10 localhost
                                                                          22⤵
                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                          • Runs ping.exe
                                                                          PID:1044
                                                                        • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                          "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                          22⤵
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • Suspicious use of FindShellTrayWindow
                                                                          • Suspicious use of SendNotifyMessage
                                                                          PID:4800
                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                            "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                            23⤵
                                                                            • Scheduled Task/Job: Scheduled Task
                                                                            PID:4948
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SvgLupwUcALz.bat" "
                                                                            23⤵
                                                                              PID:4660
                                                                              • C:\Windows\system32\chcp.com
                                                                                chcp 65001
                                                                                24⤵
                                                                                  PID:1340
                                                                                • C:\Windows\system32\PING.EXE
                                                                                  ping -n 10 localhost
                                                                                  24⤵
                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                  • Runs ping.exe
                                                                                  PID:2216
                                                                                • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                  "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                  24⤵
                                                                                  • Checks computer location settings
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  PID:892
                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                    "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                    25⤵
                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                    PID:4896
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hux1T2XIq2Bb.bat" "
                                                                                    25⤵
                                                                                      PID:3840
                                                                                      • C:\Windows\system32\chcp.com
                                                                                        chcp 65001
                                                                                        26⤵
                                                                                          PID:740
                                                                                        • C:\Windows\system32\PING.EXE
                                                                                          ping -n 10 localhost
                                                                                          26⤵
                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                          • Runs ping.exe
                                                                                          PID:4380
                                                                                        • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                          "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                          26⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                          • Suspicious use of SendNotifyMessage
                                                                                          PID:684
                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                            "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                            27⤵
                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                            PID:5112
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWKuUjNHFXWj.bat" "
                                                                                            27⤵
                                                                                              PID:3700
                                                                                              • C:\Windows\system32\chcp.com
                                                                                                chcp 65001
                                                                                                28⤵
                                                                                                  PID:4840
                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                  ping -n 10 localhost
                                                                                                  28⤵
                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                  • Runs ping.exe
                                                                                                  PID:4572
                                                                                                • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                                  "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                                  28⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                  PID:4648
                                                                                                  • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                    "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                                    29⤵
                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                    PID:4188
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IiE7ZcOOcVUd.bat" "
                                                                                                    29⤵
                                                                                                      PID:432
                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                        chcp 65001
                                                                                                        30⤵
                                                                                                          PID:2176
                                                                                                        • C:\Windows\system32\PING.EXE
                                                                                                          ping -n 10 localhost
                                                                                                          30⤵
                                                                                                          • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                          • Runs ping.exe
                                                                                                          PID:4864
                                                                                                        • C:\Windows\system32\SubDir\SolaraExecutor.exe
                                                                                                          "C:\Windows\system32\SubDir\SolaraExecutor.exe"
                                                                                                          30⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                          PID:876
                                                                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                                                                            "schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
                                                                                                            31⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:4752
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsjMQ4qbaTkr.bat" "
                                                                                                            31⤵
                                                                                                              PID:368
                                                                                                              • C:\Windows\system32\chcp.com
                                                                                                                chcp 65001
                                                                                                                32⤵
                                                                                                                  PID:736
                                                                                                                • C:\Windows\system32\PING.EXE
                                                                                                                  ping -n 10 localhost
                                                                                                                  32⤵
                                                                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                                  • Runs ping.exe
                                                                                                                  PID:1324

                                                  Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraExecutor.exe.log

                                                    Filesize

                                                    2KB

                                                    MD5

                                                    8f0271a63446aef01cf2bfc7b7c7976b

                                                    SHA1

                                                    b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

                                                    SHA256

                                                    da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

                                                    SHA512

                                                    78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

                                                  • C:\Users\Admin\AppData\Local\Temp\16ZVFvTZz0CJ.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    42a16d2653c8301d7a440acec0d7c599

                                                    SHA1

                                                    0ccdec5d54d22335cdc18e26b32ad3248b83249b

                                                    SHA256

                                                    7947e8abd5bae56cb3980ca9f8b7942895836ec4d5ce7841f6f1f5565c857a7e

                                                    SHA512

                                                    fa220b3e5b734420f4eb4a856102118897f4e426c55cc88b8b00c1111a5c77fc97207f2c9d1e2a7d47e0f7e379c9257783665b497b256a8524917a374d081390

                                                  • C:\Users\Admin\AppData\Local\Temp\26O8SILkCMi4.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    440b296784dc2f4e831d12bf2c3c28ef

                                                    SHA1

                                                    88c9efb2d7003be87665f66bd0c488ca738f3930

                                                    SHA256

                                                    852f0865045eb7d2e78a8478dd92560076da0b23edc693c45658f7459f876993

                                                    SHA512

                                                    d7e75e1a95d9fdbc80bd72157ce65bc25d9a51d62384bd840b5d572f548585f45d20e2bd4525753640f8cdd60f355a8b3b349683160fc3742619953bc735ac87

                                                  • C:\Users\Admin\AppData\Local\Temp\2EPZmyYmsYuF.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    0c88452007f4908fd748306a01446a90

                                                    SHA1

                                                    4440a55bb618485a0c9b3e0902ac38d589f5ac07

                                                    SHA256

                                                    0d25afaf76d52870d770930a184d14256aaaebe1ae711bb941953bbf34611c37

                                                    SHA512

                                                    f1d9ff78dcbd0f2a70cb8808d5e95fe684682766fa570a900298289d0ebaf62e65b40b2d1a00fd0888e26a17205feb6ea8a9db66000a94f0d66032cea575ccd7

                                                  • C:\Users\Admin\AppData\Local\Temp\Hux1T2XIq2Bb.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    48a08052aec2100a51a55ec2c4246d69

                                                    SHA1

                                                    59c7271cbf6c76d984b37145072649837ba42b7d

                                                    SHA256

                                                    68c194cbf1607b0a2ce4ee26e4942f6e6fcdbfcb0b528dac52f4dbfa4714e2cf

                                                    SHA512

                                                    b629faa78b9ce2b08dc84d6ca38852d10fafa4bcaa5927a4743e892189b9db3202266b6baae11645077393fb88e95a8d4c6d87920724f913cd4976a9d69c1daa

                                                  • C:\Users\Admin\AppData\Local\Temp\IiE7ZcOOcVUd.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    5ecf5ae4ced512ea6e0d5b3cc700f62a

                                                    SHA1

                                                    325fb18e5120320ad930852cbf1a3fd3d2da284c

                                                    SHA256

                                                    4709a7fb3d85b793563be539465b84fd02cd292042e6368116ef6ab0ffae7a4d

                                                    SHA512

                                                    96367156b534afb36783c7397b8f1d6f5b69096dc201ac54050ea003e793b7f1f6ca33a864168bf7c270be078c2d18383b09dc0a9da633d5727ac7c4439b9d3a

                                                  • C:\Users\Admin\AppData\Local\Temp\PsjMQ4qbaTkr.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    66ef3d7e3bdaaac4ec44542d6821b2ea

                                                    SHA1

                                                    28928bb1c2f16223268f332f88b40e69a0f529fe

                                                    SHA256

                                                    59ad232060eb121284110bfe0be3d5eca0123a30367e6933e9f739f6e73a0746

                                                    SHA512

                                                    53541d7c23de5bdc75eab66e5845c31f964c574c9ecf715588f5c0f041c7e1bfaad43288478c83fe62ded4134b7a59647b0f0e47140d727b718b9c047c58bc3a

                                                  • C:\Users\Admin\AppData\Local\Temp\SvgLupwUcALz.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    9775265be84061192297a83a83403c1f

                                                    SHA1

                                                    13cc01f0044b636c9876ae15a0d85ab87f1a0822

                                                    SHA256

                                                    f3f9c0e7d87c8841df93c0dfb817b4726bb6556a409b9d3b86636d068c57fff0

                                                    SHA512

                                                    a5821c4b1f6a7d580936cb9aafe16774099f5651044abd24bbde3bd6ccb7b37228876ab94538bf69750d64923c3ed4806db07017e1b7810880473445d143a378

                                                  • C:\Users\Admin\AppData\Local\Temp\TWKuUjNHFXWj.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    aeb6b9875c59a725915266ef4b1dfbac

                                                    SHA1

                                                    a64b0a1ee69047552f76b55af392c815dc97b43f

                                                    SHA256

                                                    d53c36330516ccac7b1de8c7dd4ff7376878790d279fb3ced62c378a81d744e1

                                                    SHA512

                                                    eedb0662f7094afbf7c8d69e72f65d84083309d72779e0e36855ee69efa6667e18ef746ec83a94262983915726c306923a46ca7106b56a5b0caab256fdd1940f

                                                  • C:\Users\Admin\AppData\Local\Temp\VeFbEV00Wwzy.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    38193cab429c33fc2679e7431003f4f3

                                                    SHA1

                                                    f57888f8e7749cb09425fc57898fc47f310383c3

                                                    SHA256

                                                    7bf72f15b7f4a85791b9ef5363ee2dad93be666babb569e6d2a3d57cdba2a702

                                                    SHA512

                                                    6019ec08d9be7ed9e375f92ffbef7461a909507a63fa038e5311dc89deca666a722448172ec8f21a6fb39cb45719097ca56a8f519f4916d99505f4d5cc95d199

                                                  • C:\Users\Admin\AppData\Local\Temp\W7lUz8pWMPpn.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    070549048e8e636c807b7712d810adec

                                                    SHA1

                                                    e0f480cd300d6ae877e6b40d3eafb83e13c75534

                                                    SHA256

                                                    b72fbb8bcc31061d001943a29d685c0a7beec4e9083f1eb563fa4a42c59e6058

                                                    SHA512

                                                    60ad384d83f78aa5a3d04005bf444536477f024483db23c75cebbf53545eac0d79670faddbdfe0f7f219d49eb50bcf9ffa4cd4ec071dce749e191b0932f7ff76

                                                  • C:\Users\Admin\AppData\Local\Temp\WCudxH9lkNFr.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    3df43601304ffce256a6f3b418b03434

                                                    SHA1

                                                    b8537bc4a1a3c738ee27a15720b64910ce8e2254

                                                    SHA256

                                                    78bcbcc7a87d14a8d98c4bd0a7b62858503f1d6033326b4b514c2eb1f9bbff38

                                                    SHA512

                                                    ddb103014a88fdcaeff8ee2a8cbfecb791ac91fce61b0d1bd47acee9589d98a141356a94e7308c516f46c5d394a18ecc2eec812a1eb2fde69aa5c102c9c1886b

                                                  • C:\Users\Admin\AppData\Local\Temp\fytIjLcgCjOP.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    87568cd9af95148d9b35dbba41b8f330

                                                    SHA1

                                                    25d04d31440b93b3e2b502d2a7380d6303fdc41c

                                                    SHA256

                                                    7f480b1ab30645eb49bbe4505732eb606e777c64a8051f225998be48442f0fb6

                                                    SHA512

                                                    d94103999c3dd72c6d600fad0d7e93d57759a539d4a02c89126604bfe240f496ad8f6d87fd0963f3c8c9a87bc826730269339fae874fc2af56cdc3dc4d991c88

                                                  • C:\Users\Admin\AppData\Local\Temp\iPU1zKcBXY2l.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    eb10acb7880f5e49f7837b539522a971

                                                    SHA1

                                                    d1dcc55ecaaf875a65c4c303d4af750ff5ff9e7b

                                                    SHA256

                                                    c4a10a643f041b610ef1d84539b39c973d2f859e62f2016ecd17c3386d86c75b

                                                    SHA512

                                                    ce147a19da372b976833cc8d41ca0915b7313115c0622c27431eec7e66539e65e7464530d4d8a27a91bcee492c795a43d15f42736b60bf59f95d4ee8bc6acb48

                                                  • C:\Users\Admin\AppData\Local\Temp\tfD9octdj03C.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    f155d0c10d4fc156fba3581f56d4807f

                                                    SHA1

                                                    35d7f4cd53ec3109ac508e228961c48fa811beb6

                                                    SHA256

                                                    46a9d4698abf34d87d53f13fec2b7bd2094fe5a5f2191f383faed25084241753

                                                    SHA512

                                                    257b8f2e2487e0f0033433e86a8245deef60557b4d2fbf24aa130c3e939cfd9b03c1150c3a4f57325fc396c607c74b2addeff3448dd80d51eb31216c5691c396

                                                  • C:\Users\Admin\AppData\Local\Temp\wC8XrhgPClRM.bat

                                                    Filesize

                                                    204B

                                                    MD5

                                                    d60f1414ba53f0445c10e5c8de3a33b8

                                                    SHA1

                                                    5a22ec80c0e547fd9c137968f150d20c95536d45

                                                    SHA256

                                                    a82122a55d481c0c5e3babec8aa201cd025f9f01fa6a7b6174ac2af9de7b0061

                                                    SHA512

                                                    c6c760ea0bfb13208a1e0313cf4df76be9516198be3bd29689879c7aca0255562444b5208e83bc285306159b88515882c1653fd4f0be27bc6ede7c3a424dcf4c

                                                  • C:\Windows\System32\SubDir\SolaraExecutor.exe

                                                    Filesize

                                                    3.1MB

                                                    MD5

                                                    3cf4f19b7c69135acb3c4c9bb9cdfb90

                                                    SHA1

                                                    e2b5a40dd2abfa03671fde7c4e74f9b2846f989f

                                                    SHA256

                                                    6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf

                                                    SHA512

                                                    4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd

                                                  • memory/1784-9-0x00007FFFF7C60000-0x00007FFFF8721000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1784-17-0x00007FFFF7C60000-0x00007FFFF8721000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/1784-12-0x000000001BF90000-0x000000001C042000-memory.dmp

                                                    Filesize

                                                    712KB

                                                  • memory/1784-11-0x000000001BE80000-0x000000001BED0000-memory.dmp

                                                    Filesize

                                                    320KB

                                                  • memory/1784-10-0x00007FFFF7C60000-0x00007FFFF8721000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4664-2-0x00007FFFF7C60000-0x00007FFFF8721000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4664-0-0x00007FFFF7C63000-0x00007FFFF7C65000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/4664-1-0x0000000000A30000-0x0000000000D54000-memory.dmp

                                                    Filesize

                                                    3.1MB

                                                  • memory/4664-8-0x00007FFFF7C60000-0x00007FFFF8721000-memory.dmp

                                                    Filesize

                                                    10.8MB