Analysis Overview
SHA256
15a29041d43b33af3f35611c8c8d2d398f864b671bf9235afdef9751e0815b7a
Threat Level: Known bad
The file 3cf4f19b7c69135acb3c4c9bb9cdfb90.bin was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Quasar family
Executes dropped EXE
Checks computer location settings
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-05 01:22
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 01:22
Reported
2024-08-05 01:24
Platform
win7-20240705-en
Max time kernel
145s
Max time network
123s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe
"C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\L7sBEjbHQdxN.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\d9hsAOnd4HyZ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\UDToL1N0H78L.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\0ygmK23w7iA9.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\3TguxC4Ul1Wk.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2Ku9NUao0RCr.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Li0JO1LK19fK.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\3uTqsouO5Mmx.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2lhNmCNHvCa4.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\Z019MF8Sq4xM.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\eEAn0qcaD6Aq.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KDOf3zF5H1Wg.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\5zDbpDGkiedn.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DD5qZdC2v0he.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\nwBAUhCBqxYP.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
Files
memory/2460-0-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp
memory/2460-1-0x0000000000F10000-0x0000000001234000-memory.dmp
memory/2460-2-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp
C:\Windows\System32\SubDir\SolaraExecutor.exe
| MD5 | 3cf4f19b7c69135acb3c4c9bb9cdfb90 |
| SHA1 | e2b5a40dd2abfa03671fde7c4e74f9b2846f989f |
| SHA256 | 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf |
| SHA512 | 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd |
memory/2460-7-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp
memory/2152-9-0x0000000000A00000-0x0000000000D24000-memory.dmp
memory/2152-8-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp
memory/2152-10-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\L7sBEjbHQdxN.bat
| MD5 | feca430d7239917c3a250ead322ef646 |
| SHA1 | 200a75d043ca2a26de3683e2e7cbad601f700d2b |
| SHA256 | ca4d0ce614b201c2e9a23d041e57a3075d96359c2729384090b9ca1ef7304b85 |
| SHA512 | 96ff23169cc7552d437e95181c81c0c3896838d64da5a8fabba3ae7cfa6c2c349c3814c727cb980999deece7aa1637bd182d7f18a4a47ca105fbf3552174854c |
memory/2152-19-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp
memory/2688-22-0x0000000000240000-0x0000000000564000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d9hsAOnd4HyZ.bat
| MD5 | f0274196c3a44503b95f41f1ac1f208f |
| SHA1 | cb9ddcf0d846d4a0a19e8df04be4eb3fdcf7589f |
| SHA256 | 3103b81aa120c2b04df7f9183614caa8dd9bde36a53dd6ff05d796faa171cea1 |
| SHA512 | 82d100dc28abc9b6856be7c3cc33ee35da539fe32330921a2aadd23a789256db8983555d754ad9fa92279ccab72b98ed56962adcad33fa89c5d5880d7cb74fa4 |
memory/2852-33-0x0000000000170000-0x0000000000494000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\UDToL1N0H78L.bat
| MD5 | c31761c97ab416bd13307fb85c968c6f |
| SHA1 | a866e13196002b237104a10532657374d25787bc |
| SHA256 | 0b2cf460b38f057a206d2ffb0af27a967c7460211e1d782e4bbf1127e02356b9 |
| SHA512 | 6414333d6011d52b7d94fc5e3dacb994b4b30d18c52041c3421b02ed5e658242f2865731bcbfab742c47d4c3d53fa26ca555130ec4153d2ff568178796d807d1 |
memory/1656-45-0x00000000010D0000-0x00000000013F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0ygmK23w7iA9.bat
| MD5 | 2910f681fd312bc4c1f340fa1ba9d939 |
| SHA1 | a0cd81040e4ee72dfb373bc28a8d30e189db7ab4 |
| SHA256 | 36dbeb626bcb2a73fd119cc660df804f291afa4095c047223848b23aaa872a59 |
| SHA512 | 45c9387dc8b34d042e65ca9cf994982edfa8cd0e33eae95e23520a248c70eec7cd96150ee214372d594e5ec4db4f51edf2d83b4fec805c933ccf74c1fc844d91 |
memory/2348-56-0x0000000000300000-0x0000000000624000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3TguxC4Ul1Wk.bat
| MD5 | 23af2385aa23cdac85077c257c8a0cb6 |
| SHA1 | 8ecaf8d174649fbbf2f708261980f8f64deace6f |
| SHA256 | a669ed36f2bf733f3ecd1b5c093b5e867c6cb302a48b6670b2007b4179f0a749 |
| SHA512 | 6382fcc0de552e2fc8d20d89f0e6ff1f97483f5dd54df9e3ab1f91766c60d81787459af76d2453c552118c19de7816dc27eaa417851e33cf31f156fef33d0806 |
memory/1956-67-0x0000000000F90000-0x00000000012B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2Ku9NUao0RCr.bat
| MD5 | 55b53992d2888712b8145e27b10a97e1 |
| SHA1 | 00affca3f39529319666371369d648ef64f72c1a |
| SHA256 | ce9fb051707888c7119c2eb30accd4f3445b3535639776884c22d52b322920d7 |
| SHA512 | ac9ff08632d54986c3e11e8d023c48e461d62b4c49319110f408b7c0371b821e1069ab325901078be23cd5eb1828daebb6366d8545f3c5930fb82193e99ebb2c |
C:\Users\Admin\AppData\Local\Temp\Li0JO1LK19fK.bat
| MD5 | 3015a387064a6d27cbec6b91abe71400 |
| SHA1 | ac91d1b9d5cf2594850dba04194075b1ef78941e |
| SHA256 | c0870fdaeca46b93ae8c87b75c83ccfbe88b40a9224624a75b268b8cb849949c |
| SHA512 | b12472ebcab69b74890ecef8628d4f77957f68127097e24fda1375ae671aac1a1055f1114ebcfedbc40399a223f2261be9ca6df674be4d8c65adceaeded81e49 |
C:\Users\Admin\AppData\Local\Temp\3uTqsouO5Mmx.bat
| MD5 | f40bb1a30cf1b526f040f5944b87d544 |
| SHA1 | 312247b9771a11bd1410319eb22d3a9cf15e6b80 |
| SHA256 | 488a9f6d852061798a85092e5331711c300d60912ef2579939198a3649780731 |
| SHA512 | a9412d44865ec3c54f816a87f5b0f14f3350959f74278f70f38bbb79cf0e981cb84bfec91b1d0525f6119b12909382655d1affff6e91123f2181a8547746e675 |
memory/2644-99-0x00000000012C0000-0x00000000015E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2lhNmCNHvCa4.bat
| MD5 | e798cdd9b01b5b6661ef9395c3c8d5a7 |
| SHA1 | 10cba84d01ba0ecd234229efa8fb15fc813e8030 |
| SHA256 | 5ec221ea7fdcbd59cc42ea8b67a95220764c993850bad68d59860cb7fd0130f0 |
| SHA512 | f3c542fe746889a84e88fa731232d0bce0146504da2f655bb546b57166f7eeefb904a4cd29d85bf376663da1204e6df127233d1f979297f48ed9d01400226eb0 |
memory/948-110-0x0000000000350000-0x0000000000674000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Z019MF8Sq4xM.bat
| MD5 | c5b5aff27893b3c59e91fe53fd2d85b3 |
| SHA1 | 475e4643f4b245f6a99a502b3f9bfa2fd26a3e10 |
| SHA256 | 76241c77e3244001109a2de1a0a716314bf8a4feb039799e40c1b9183780976d |
| SHA512 | ddbd3f2a191f58d57a3cb5fb088c7ff608caa22e900c9f28e2c7c489a6930a6c979394f03787fb799d0dc9ebd36f447b1604fc7d69287883bb57229cac01d69e |
memory/1116-122-0x0000000001160000-0x0000000001484000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eEAn0qcaD6Aq.bat
| MD5 | d4bc36b5dab9beca2ead75e55cdcb568 |
| SHA1 | 4f48bec8f6d0a9e50f8863cdcbb8ea594eff1eda |
| SHA256 | 861b0259a45455737e263cb115fcbc79a5668862d3f153e4ac02bb57582e84b1 |
| SHA512 | eb6186664beabf8a18708a14e301bd3fb3affafb88abdb01cc969992bb47bc9ed09faf2303eb658fd3229a0ba47998aa7e2fbf993b646b90bded37c0aea07218 |
C:\Users\Admin\AppData\Local\Temp\KDOf3zF5H1Wg.bat
| MD5 | 40393af952536ef306d6c0cd07c78cb3 |
| SHA1 | c055b267c6b184114f622c8a1f1c7f66d856051a |
| SHA256 | f5faae36cc1057e04f1f38c93dcddaa99e6faeeb7903b343e17beaa98445d19d |
| SHA512 | ce1f61f222a5d4ad66656606f44a40f52bc61c6d423bcb38c6be3e0de1a27703fb1c783776aeba1bd551fcf221d96f949332d57c9b1f9e9950d49f4accc7a29e |
memory/1920-145-0x00000000003F0000-0x0000000000714000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5zDbpDGkiedn.bat
| MD5 | 61a3ef50a55be54bbb71be14037941ad |
| SHA1 | 9bd2c451b466db9382cb91c9183786ca6312bfb9 |
| SHA256 | 98533b2b338db80c96e2405a283d5b02a621c962f3a698677b8433eb7249eb4a |
| SHA512 | 1445fe697d5bc5f074b6194b5de21b710b05a347a60a619c75eecf8cfd613088168acdda77dcbd598660907ea023077ce24b0fbb0e8c5874c5a549a0c7169946 |
memory/1944-156-0x0000000000D60000-0x0000000001084000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DD5qZdC2v0he.bat
| MD5 | da9c1996b70db0228d90a2ce3d3cc341 |
| SHA1 | 9112f3d4cc458483e50c1d6495b3e0a78f7ce250 |
| SHA256 | 6bc8a6709e0d94e540235f834b1f838a31218076c802865050b50d2d833ebdb6 |
| SHA512 | 426d03f3256600777acf7f3f1c3587cb5b597af42e665f59924da5819ccf3637ad487442c2f6207aaad0c8233859ded30731f650d67b9829a05764de7d4b6e78 |
memory/2884-168-0x0000000001370000-0x0000000001694000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nwBAUhCBqxYP.bat
| MD5 | fbec21052fda9416016a3d874523135e |
| SHA1 | 1a1fffc73247bd90bed690a0b04c94a9cbc0225d |
| SHA256 | c9379c25e78ab8548c8fdc146d70cbca15f783bbf208a20712e85fc41564dc39 |
| SHA512 | ad9d7a89d8c84b43b24f9e0a7b70950cd76f0554dc402e820032943ae40998aeb0efbf7a59baddc04604f76db8800c6ca3953651cc21e25c3eeb904d7c759e44 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-05 01:22
Reported
2024-08-05 01:24
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\SolaraExecutor.exe | C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\SolaraExecutor.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe
"C:\Users\Admin\AppData\Local\Temp\6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W7lUz8pWMPpn.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\16ZVFvTZz0CJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iPU1zKcBXY2l.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tfD9octdj03C.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCudxH9lkNFr.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeFbEV00Wwzy.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fytIjLcgCjOP.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2EPZmyYmsYuF.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wC8XrhgPClRM.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\26O8SILkCMi4.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SvgLupwUcALz.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hux1T2XIq2Bb.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TWKuUjNHFXWj.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IiE7ZcOOcVUd.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\SubDir\SolaraExecutor.exe
"C:\Windows\system32\SubDir\SolaraExecutor.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RtkAudUService64" /sc ONLOGON /tr "C:\Windows\system32\SubDir\SolaraExecutor.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PsjMQ4qbaTkr.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | nohchy-47404.portmap.host | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4664-0-0x00007FFFF7C63000-0x00007FFFF7C65000-memory.dmp
memory/4664-1-0x0000000000A30000-0x0000000000D54000-memory.dmp
memory/4664-2-0x00007FFFF7C60000-0x00007FFFF8721000-memory.dmp
C:\Windows\System32\SubDir\SolaraExecutor.exe
| MD5 | 3cf4f19b7c69135acb3c4c9bb9cdfb90 |
| SHA1 | e2b5a40dd2abfa03671fde7c4e74f9b2846f989f |
| SHA256 | 6aabee552a530d63bdabc02cbe5714fcb7e1f9c826acb0b27ad267d50065cdaf |
| SHA512 | 4b4237eaf8ca42456b5ce183c83ba3f0cd382dfa5ae775a9433db4f7091ac0295267e80fcd93861a1022288ebf7c3a9d3b7caa07423f75c0b685812bf97996cd |
memory/1784-9-0x00007FFFF7C60000-0x00007FFFF8721000-memory.dmp
memory/4664-8-0x00007FFFF7C60000-0x00007FFFF8721000-memory.dmp
memory/1784-10-0x00007FFFF7C60000-0x00007FFFF8721000-memory.dmp
memory/1784-11-0x000000001BE80000-0x000000001BED0000-memory.dmp
memory/1784-12-0x000000001BF90000-0x000000001C042000-memory.dmp
memory/1784-17-0x00007FFFF7C60000-0x00007FFFF8721000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\W7lUz8pWMPpn.bat
| MD5 | 070549048e8e636c807b7712d810adec |
| SHA1 | e0f480cd300d6ae877e6b40d3eafb83e13c75534 |
| SHA256 | b72fbb8bcc31061d001943a29d685c0a7beec4e9083f1eb563fa4a42c59e6058 |
| SHA512 | 60ad384d83f78aa5a3d04005bf444536477f024483db23c75cebbf53545eac0d79670faddbdfe0f7f219d49eb50bcf9ffa4cd4ec071dce749e191b0932f7ff76 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraExecutor.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
C:\Users\Admin\AppData\Local\Temp\16ZVFvTZz0CJ.bat
| MD5 | 42a16d2653c8301d7a440acec0d7c599 |
| SHA1 | 0ccdec5d54d22335cdc18e26b32ad3248b83249b |
| SHA256 | 7947e8abd5bae56cb3980ca9f8b7942895836ec4d5ce7841f6f1f5565c857a7e |
| SHA512 | fa220b3e5b734420f4eb4a856102118897f4e426c55cc88b8b00c1111a5c77fc97207f2c9d1e2a7d47e0f7e379c9257783665b497b256a8524917a374d081390 |
C:\Users\Admin\AppData\Local\Temp\iPU1zKcBXY2l.bat
| MD5 | eb10acb7880f5e49f7837b539522a971 |
| SHA1 | d1dcc55ecaaf875a65c4c303d4af750ff5ff9e7b |
| SHA256 | c4a10a643f041b610ef1d84539b39c973d2f859e62f2016ecd17c3386d86c75b |
| SHA512 | ce147a19da372b976833cc8d41ca0915b7313115c0622c27431eec7e66539e65e7464530d4d8a27a91bcee492c795a43d15f42736b60bf59f95d4ee8bc6acb48 |
C:\Users\Admin\AppData\Local\Temp\tfD9octdj03C.bat
| MD5 | f155d0c10d4fc156fba3581f56d4807f |
| SHA1 | 35d7f4cd53ec3109ac508e228961c48fa811beb6 |
| SHA256 | 46a9d4698abf34d87d53f13fec2b7bd2094fe5a5f2191f383faed25084241753 |
| SHA512 | 257b8f2e2487e0f0033433e86a8245deef60557b4d2fbf24aa130c3e939cfd9b03c1150c3a4f57325fc396c607c74b2addeff3448dd80d51eb31216c5691c396 |
C:\Users\Admin\AppData\Local\Temp\WCudxH9lkNFr.bat
| MD5 | 3df43601304ffce256a6f3b418b03434 |
| SHA1 | b8537bc4a1a3c738ee27a15720b64910ce8e2254 |
| SHA256 | 78bcbcc7a87d14a8d98c4bd0a7b62858503f1d6033326b4b514c2eb1f9bbff38 |
| SHA512 | ddb103014a88fdcaeff8ee2a8cbfecb791ac91fce61b0d1bd47acee9589d98a141356a94e7308c516f46c5d394a18ecc2eec812a1eb2fde69aa5c102c9c1886b |
C:\Users\Admin\AppData\Local\Temp\VeFbEV00Wwzy.bat
| MD5 | 38193cab429c33fc2679e7431003f4f3 |
| SHA1 | f57888f8e7749cb09425fc57898fc47f310383c3 |
| SHA256 | 7bf72f15b7f4a85791b9ef5363ee2dad93be666babb569e6d2a3d57cdba2a702 |
| SHA512 | 6019ec08d9be7ed9e375f92ffbef7461a909507a63fa038e5311dc89deca666a722448172ec8f21a6fb39cb45719097ca56a8f519f4916d99505f4d5cc95d199 |
C:\Users\Admin\AppData\Local\Temp\fytIjLcgCjOP.bat
| MD5 | 87568cd9af95148d9b35dbba41b8f330 |
| SHA1 | 25d04d31440b93b3e2b502d2a7380d6303fdc41c |
| SHA256 | 7f480b1ab30645eb49bbe4505732eb606e777c64a8051f225998be48442f0fb6 |
| SHA512 | d94103999c3dd72c6d600fad0d7e93d57759a539d4a02c89126604bfe240f496ad8f6d87fd0963f3c8c9a87bc826730269339fae874fc2af56cdc3dc4d991c88 |
C:\Users\Admin\AppData\Local\Temp\2EPZmyYmsYuF.bat
| MD5 | 0c88452007f4908fd748306a01446a90 |
| SHA1 | 4440a55bb618485a0c9b3e0902ac38d589f5ac07 |
| SHA256 | 0d25afaf76d52870d770930a184d14256aaaebe1ae711bb941953bbf34611c37 |
| SHA512 | f1d9ff78dcbd0f2a70cb8808d5e95fe684682766fa570a900298289d0ebaf62e65b40b2d1a00fd0888e26a17205feb6ea8a9db66000a94f0d66032cea575ccd7 |
C:\Users\Admin\AppData\Local\Temp\wC8XrhgPClRM.bat
| MD5 | d60f1414ba53f0445c10e5c8de3a33b8 |
| SHA1 | 5a22ec80c0e547fd9c137968f150d20c95536d45 |
| SHA256 | a82122a55d481c0c5e3babec8aa201cd025f9f01fa6a7b6174ac2af9de7b0061 |
| SHA512 | c6c760ea0bfb13208a1e0313cf4df76be9516198be3bd29689879c7aca0255562444b5208e83bc285306159b88515882c1653fd4f0be27bc6ede7c3a424dcf4c |
C:\Users\Admin\AppData\Local\Temp\26O8SILkCMi4.bat
| MD5 | 440b296784dc2f4e831d12bf2c3c28ef |
| SHA1 | 88c9efb2d7003be87665f66bd0c488ca738f3930 |
| SHA256 | 852f0865045eb7d2e78a8478dd92560076da0b23edc693c45658f7459f876993 |
| SHA512 | d7e75e1a95d9fdbc80bd72157ce65bc25d9a51d62384bd840b5d572f548585f45d20e2bd4525753640f8cdd60f355a8b3b349683160fc3742619953bc735ac87 |
C:\Users\Admin\AppData\Local\Temp\SvgLupwUcALz.bat
| MD5 | 9775265be84061192297a83a83403c1f |
| SHA1 | 13cc01f0044b636c9876ae15a0d85ab87f1a0822 |
| SHA256 | f3f9c0e7d87c8841df93c0dfb817b4726bb6556a409b9d3b86636d068c57fff0 |
| SHA512 | a5821c4b1f6a7d580936cb9aafe16774099f5651044abd24bbde3bd6ccb7b37228876ab94538bf69750d64923c3ed4806db07017e1b7810880473445d143a378 |
C:\Users\Admin\AppData\Local\Temp\Hux1T2XIq2Bb.bat
| MD5 | 48a08052aec2100a51a55ec2c4246d69 |
| SHA1 | 59c7271cbf6c76d984b37145072649837ba42b7d |
| SHA256 | 68c194cbf1607b0a2ce4ee26e4942f6e6fcdbfcb0b528dac52f4dbfa4714e2cf |
| SHA512 | b629faa78b9ce2b08dc84d6ca38852d10fafa4bcaa5927a4743e892189b9db3202266b6baae11645077393fb88e95a8d4c6d87920724f913cd4976a9d69c1daa |
C:\Users\Admin\AppData\Local\Temp\TWKuUjNHFXWj.bat
| MD5 | aeb6b9875c59a725915266ef4b1dfbac |
| SHA1 | a64b0a1ee69047552f76b55af392c815dc97b43f |
| SHA256 | d53c36330516ccac7b1de8c7dd4ff7376878790d279fb3ced62c378a81d744e1 |
| SHA512 | eedb0662f7094afbf7c8d69e72f65d84083309d72779e0e36855ee69efa6667e18ef746ec83a94262983915726c306923a46ca7106b56a5b0caab256fdd1940f |
C:\Users\Admin\AppData\Local\Temp\IiE7ZcOOcVUd.bat
| MD5 | 5ecf5ae4ced512ea6e0d5b3cc700f62a |
| SHA1 | 325fb18e5120320ad930852cbf1a3fd3d2da284c |
| SHA256 | 4709a7fb3d85b793563be539465b84fd02cd292042e6368116ef6ab0ffae7a4d |
| SHA512 | 96367156b534afb36783c7397b8f1d6f5b69096dc201ac54050ea003e793b7f1f6ca33a864168bf7c270be078c2d18383b09dc0a9da633d5727ac7c4439b9d3a |
C:\Users\Admin\AppData\Local\Temp\PsjMQ4qbaTkr.bat
| MD5 | 66ef3d7e3bdaaac4ec44542d6821b2ea |
| SHA1 | 28928bb1c2f16223268f332f88b40e69a0f529fe |
| SHA256 | 59ad232060eb121284110bfe0be3d5eca0123a30367e6933e9f739f6e73a0746 |
| SHA512 | 53541d7c23de5bdc75eab66e5845c31f964c574c9ecf715588f5c0f041c7e1bfaad43288478c83fe62ded4134b7a59647b0f0e47140d727b718b9c047c58bc3a |