Malware Analysis Report

2025-01-03 06:46

Sample ID 230823-wbx9dsfh9y
Target ayoubpayload.exe
SHA256 81ecb3b3f6307ab77fa8242cf6942cea00d2bd435a78e12e18a517cbad0311c6
Tags
asyncrat quasar stormkitty default office04 persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

81ecb3b3f6307ab77fa8242cf6942cea00d2bd435a78e12e18a517cbad0311c6

Threat Level: Known bad

The file ayoubpayload.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat quasar stormkitty default office04 persistence rat spyware stealer trojan

Quasar RAT

StormKitty payload

AsyncRat

Quasar payload

StormKitty

Async RAT payload

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

Looks up geolocation information via web service

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-23 17:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-23 17:45

Reported

2023-08-23 17:47

Platform

win7-20230712-en

Max time kernel

106s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe"

Signatures

AsyncRat

rat asyncrat

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Run\CASHELP = "C:\\Users\\Admin\\AppData\\Roaming\\CASHELP.exe" C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winhelp = "C:\\Users\\Admin\\AppData\\Roaming\\Winhelp.exe" C:\Users\Admin\AppData\Local\Temp\Quasare.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\e39ff6aa680a9efca7036455a28d79a3\Admin@KDGGTDCU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\e39ff6aa680a9efca7036455a28d79a3\Admin@KDGGTDCU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Local\e39ff6aa680a9efca7036455a28d79a3\Admin@KDGGTDCU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\e39ff6aa680a9efca7036455a28d79a3\Admin@KDGGTDCU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Local\e39ff6aa680a9efca7036455a28d79a3\Admin@KDGGTDCU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Local\e39ff6aa680a9efca7036455a28d79a3\Admin@KDGGTDCU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\e39ff6aa680a9efca7036455a28d79a3\Admin@KDGGTDCU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1752 set thread context of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1640 set thread context of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2300 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1752 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Users\Admin\AppData\Local\Temp\Quasare.exe
PID 1752 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Users\Admin\AppData\Local\Temp\Quasare.exe
PID 1752 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Users\Admin\AppData\Local\Temp\Quasare.exe
PID 1752 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Users\Admin\AppData\Local\Temp\Quasare.exe
PID 1752 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1752 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1752 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1752 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1752 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1752 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1752 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1752 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1752 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1640 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\SysWOW64\cmd.exe
PID 596 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 596 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 596 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 596 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1360 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 2032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2032 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2032 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2032 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2032 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2032 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2032 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2032 wrote to memory of 1924 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2032 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2032 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2032 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2032 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1360 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 1360 wrote to memory of 2560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2560 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2560 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2560 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2560 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2560 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2560 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2560 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1640 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1640 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1640 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1640 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1640 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1640 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1640 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe

"C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell set-mppreference -exclusionpath C:\

C:\Users\Admin\AppData\Local\Temp\Quasare.exe

"C:\Users\Admin\AppData\Local\Temp\Quasare.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell set-mppreference -exclusionpath C:\

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Network

Country Destination Domain Proto
US 95.214.24.37:80 95.214.24.37 tcp
US 95.214.24.37:80 95.214.24.37 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.68:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 185.238.3.205:6669 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp

Files

memory/1752-1-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/1752-0-0x00000000010B0000-0x00000000012E6000-memory.dmp

memory/1752-2-0x0000000004FC0000-0x0000000005000000-memory.dmp

memory/1752-3-0x0000000004FC0000-0x0000000005000000-memory.dmp

memory/1752-4-0x00000000060E0000-0x00000000061A8000-memory.dmp

memory/1752-5-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-6-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-8-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-10-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-12-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-14-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-16-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-18-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-20-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-22-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-24-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-26-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-28-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-30-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-32-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-34-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-36-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-38-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-40-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-42-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-44-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-46-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-48-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-50-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-52-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-54-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-56-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-58-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-60-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-62-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-64-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-66-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-68-0x00000000060E0000-0x00000000061A1000-memory.dmp

memory/1752-582-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/1752-683-0x0000000004FC0000-0x0000000005000000-memory.dmp

memory/1752-1083-0x00000000009B0000-0x00000000009B1000-memory.dmp

memory/1752-1084-0x0000000000DC0000-0x0000000000E02000-memory.dmp

memory/1752-1085-0x0000000004F60000-0x0000000004FAC000-memory.dmp

memory/1752-1088-0x0000000004FC0000-0x0000000005000000-memory.dmp

memory/2300-1089-0x000000006F910000-0x000000006FEBB000-memory.dmp

memory/2300-1090-0x000000006F910000-0x000000006FEBB000-memory.dmp

memory/2300-1091-0x00000000023B0000-0x00000000023F0000-memory.dmp

memory/2300-1092-0x00000000023B0000-0x00000000023F0000-memory.dmp

memory/2300-1093-0x000000006F910000-0x000000006FEBB000-memory.dmp

\Users\Admin\AppData\Local\Temp\Quasare.exe

MD5 0ff35d7798741aea293c375c71843c37
SHA1 798dd1f2b843978274596e64d572df3897c94749
SHA256 7074b254b78967294f590b13f95841c34ffad77517ceda7c6335f32efdb87f36
SHA512 971a94629de6044fc8eb6a061c760e48c2eb00c4752f55802351b5b8c646f42439ad6031ca85500f0a275aec70bf04fb5e3b82a046c636492142c3637f56785a

C:\Users\Admin\AppData\Local\Temp\Quasare.exe

MD5 0ff35d7798741aea293c375c71843c37
SHA1 798dd1f2b843978274596e64d572df3897c94749
SHA256 7074b254b78967294f590b13f95841c34ffad77517ceda7c6335f32efdb87f36
SHA512 971a94629de6044fc8eb6a061c760e48c2eb00c4752f55802351b5b8c646f42439ad6031ca85500f0a275aec70bf04fb5e3b82a046c636492142c3637f56785a

C:\Users\Admin\AppData\Local\Temp\Quasare.exe

MD5 0ff35d7798741aea293c375c71843c37
SHA1 798dd1f2b843978274596e64d572df3897c94749
SHA256 7074b254b78967294f590b13f95841c34ffad77517ceda7c6335f32efdb87f36
SHA512 971a94629de6044fc8eb6a061c760e48c2eb00c4752f55802351b5b8c646f42439ad6031ca85500f0a275aec70bf04fb5e3b82a046c636492142c3637f56785a

memory/1640-1102-0x0000000001070000-0x0000000001078000-memory.dmp

memory/1640-1103-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/1640-1104-0x0000000000420000-0x0000000000460000-memory.dmp

memory/1360-1117-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/1752-1119-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/1360-1118-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1360-1120-0x0000000004C80000-0x0000000004CC0000-memory.dmp

memory/1640-1121-0x0000000005DF0000-0x0000000005EC0000-memory.dmp

memory/1640-1601-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/1640-1812-0x0000000000420000-0x0000000000460000-memory.dmp

memory/1360-2021-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/1360-2160-0x0000000004C80000-0x0000000004CC0000-memory.dmp

memory/1640-2202-0x0000000000420000-0x0000000000460000-memory.dmp

memory/1640-2203-0x0000000000460000-0x0000000000461000-memory.dmp

memory/1640-2204-0x0000000004D90000-0x0000000004DDC000-memory.dmp

C:\Users\Admin\AppData\Local\e39ff6aa680a9efca7036455a28d79a3\Admin@KDGGTDCU_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 525553eb79a476a58db2d3cf3a84ce81
SHA1 d60a58ea1932e78eb9ba5ecbe8d727b435d1647a
SHA256 48ef5d57b94ef4ce03413c79bd26d741d95489dc957beed47e94e58851a2c2be
SHA512 862f2afdd35963ef72d83a92ecc8cfc9121bccd577623e3aae277614c86b71bbffbef0cb31eeccce1e22c07322aebb5ad6acc25a6f4e716fa1aa1a7ac8efbfe7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AH658KE0DOLDASBY20WJ.temp

MD5 580b94a8814e938466e46bb627ae4083
SHA1 11974e447c5b08d7138586e0dc230d5a4f588514
SHA256 b562ffc0ab1c4b93bdea9c2a15f0f53cf44ef134414d5b713f73a449d2f80d32
SHA512 0b56fda423a7eabaa72ad5a47513f0823809843719c634719b90c24ecf93f66acfd6986e19e39e4dfce0ea5ec211511218d60e70a08c609fd3b143bc366f4c96

memory/2684-2254-0x000000006F630000-0x000000006FBDB000-memory.dmp

memory/2684-2255-0x00000000027D0000-0x0000000002810000-memory.dmp

memory/2684-2259-0x000000006F630000-0x000000006FBDB000-memory.dmp

memory/2684-2260-0x00000000027D0000-0x0000000002810000-memory.dmp

memory/2684-2273-0x000000006F630000-0x000000006FBDB000-memory.dmp

memory/1360-2285-0x0000000004C80000-0x0000000004CC0000-memory.dmp

memory/1640-2289-0x0000000000420000-0x0000000000460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8658.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

memory/1360-2308-0x0000000004C80000-0x0000000004CC0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e56ec378251cd65923ad88c1e14d0b6e
SHA1 7f5d986e0a34dd81487f6439fb0446ffa52a712e
SHA256 32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0
SHA512 2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa

C:\Users\Admin\AppData\Local\Temp\Tar892D.tmp

MD5 19399ab248018076e27957e772bcfbab
SHA1 faef897e02d9501146beb49f75da1caf12967b88
SHA256 326842dd8731e37c8c27a08373c7ac341e6c72226cc850084e3a17d26675f3c9
SHA512 6d5b12ec637ef4223fdd0e271cdc9f860b060ff08d380bba546ac6962b1d672003f9ae9556d65282d8083e830d4277bad8d16443720716077e542ab0262b0103

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ea4e428b575f139fe292cd43aafa774
SHA1 be0fe849f086e026f9d504671b4a1d1899d0b37e
SHA256 8b7dfae23bcd58bb811b0c8bc435318776d7c794962482f59e7028ecee49f569
SHA512 021f81b11e0fcd9a1e9cd71ad86cc4e449b9b10af46503edb38eaab0dd55e77cec6cbc0b96756f7c1f75d527018e2801c9aef608f53a30d2ecb28ccf394061d8

C:\Users\Admin\AppData\Local\2403cbf8839cadce596bc81c9d82c2b0\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Roaming\Winhelp.exe

MD5 0ff35d7798741aea293c375c71843c37
SHA1 798dd1f2b843978274596e64d572df3897c94749
SHA256 7074b254b78967294f590b13f95841c34ffad77517ceda7c6335f32efdb87f36
SHA512 971a94629de6044fc8eb6a061c760e48c2eb00c4752f55802351b5b8c646f42439ad6031ca85500f0a275aec70bf04fb5e3b82a046c636492142c3637f56785a

memory/1640-2375-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/2484-2377-0x0000000000400000-0x000000000044E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-23 17:45

Reported

2023-08-23 17:47

Platform

win10v2004-20230703-en

Max time kernel

97s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe"

Signatures

AsyncRat

rat asyncrat

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CASHELP = "C:\\Users\\Admin\\AppData\\Roaming\\CASHELP.exe" C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winhelp = "C:\\Users\\Admin\\AppData\\Roaming\\Winhelp.exe" C:\Users\Admin\AppData\Local\Temp\Quasare.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File created C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4692 set thread context of 4064 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1300 set thread context of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4692 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\SysWOW64\cmd.exe
PID 4692 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\SysWOW64\cmd.exe
PID 876 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Users\Admin\AppData\Local\Temp\Quasare.exe
PID 4692 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Users\Admin\AppData\Local\Temp\Quasare.exe
PID 4692 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Users\Admin\AppData\Local\Temp\Quasare.exe
PID 4692 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4692 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4692 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4692 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4692 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4692 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4692 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4692 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1300 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\SysWOW64\cmd.exe
PID 1300 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3140 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3140 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4064 wrote to memory of 3528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3528 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 3528 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3528 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3528 wrote to memory of 4756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3528 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3528 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3528 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3528 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3528 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3528 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4064 wrote to memory of 3532 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3532 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 4064 wrote to memory of 3532 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3532 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3532 wrote to memory of 3392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3532 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3532 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3532 wrote to memory of 4764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1300 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1300 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\Quasare.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe

"C:\Users\Admin\AppData\Local\Temp\ayoubpayload.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell set-mppreference -exclusionpath C:\

C:\Users\Admin\AppData\Local\Temp\Quasare.exe

"C:\Users\Admin\AppData\Local\Temp\Quasare.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell set-mppreference -exclusionpath C:\

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 154.252.72.23.in-addr.arpa udp
US 95.214.24.37:80 95.214.24.37 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 37.24.214.95.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 95.214.24.37:80 95.214.24.37 tcp
US 8.8.8.8:53 121.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 97.114.18.104.in-addr.arpa udp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 185.238.3.205:6669 tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 205.3.238.185.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp

Files

memory/4692-0-0x0000000000710000-0x0000000000946000-memory.dmp

memory/4692-1-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/4692-2-0x0000000005820000-0x0000000005DC4000-memory.dmp

memory/4692-3-0x0000000005310000-0x00000000053A2000-memory.dmp

memory/4692-4-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/4692-5-0x00000000053B0000-0x00000000053BA000-memory.dmp

memory/4692-6-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-7-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-9-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-11-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-13-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-15-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-17-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-19-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-21-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-23-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-25-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-27-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-29-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-31-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-33-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-35-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-37-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-39-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-41-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-43-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-45-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-47-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-49-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-51-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-53-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-55-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-57-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-59-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-61-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-63-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-65-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-67-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-69-0x0000000008ED0000-0x0000000008F91000-memory.dmp

memory/4692-1082-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/4692-1084-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/4692-1085-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/4692-1083-0x00000000073B0000-0x00000000073B1000-memory.dmp

memory/4692-1086-0x00000000091B0000-0x0000000009216000-memory.dmp

memory/776-1087-0x0000000002740000-0x0000000002776000-memory.dmp

memory/776-1088-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/776-1089-0x0000000002840000-0x0000000002850000-memory.dmp

memory/776-1090-0x00000000051E0000-0x0000000005808000-memory.dmp

memory/776-1091-0x0000000005910000-0x0000000005932000-memory.dmp

memory/776-1097-0x00000000059B0000-0x0000000005A16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y525mf0g.v2b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/776-1102-0x0000000006090000-0x00000000060AE000-memory.dmp

memory/776-1103-0x0000000002840000-0x0000000002850000-memory.dmp

memory/776-1104-0x000000007F9A0000-0x000000007F9B0000-memory.dmp

memory/776-1105-0x0000000006640000-0x0000000006672000-memory.dmp

memory/776-1106-0x000000006F440000-0x000000006F48C000-memory.dmp

memory/776-1116-0x0000000006620000-0x000000000663E000-memory.dmp

memory/776-1117-0x00000000079E0000-0x000000000805A000-memory.dmp

memory/776-1118-0x0000000007390000-0x00000000073AA000-memory.dmp

memory/776-1119-0x0000000007400000-0x000000000740A000-memory.dmp

memory/4692-1120-0x00000000052B0000-0x00000000052C0000-memory.dmp

memory/776-1121-0x0000000007610000-0x00000000076A6000-memory.dmp

memory/776-1122-0x00000000075C0000-0x00000000075CE000-memory.dmp

memory/776-1123-0x00000000076D0000-0x00000000076EA000-memory.dmp

memory/776-1124-0x00000000076B0000-0x00000000076B8000-memory.dmp

memory/776-1127-0x0000000074930000-0x00000000750E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Quasare.exe

MD5 0ff35d7798741aea293c375c71843c37
SHA1 798dd1f2b843978274596e64d572df3897c94749
SHA256 7074b254b78967294f590b13f95841c34ffad77517ceda7c6335f32efdb87f36
SHA512 971a94629de6044fc8eb6a061c760e48c2eb00c4752f55802351b5b8c646f42439ad6031ca85500f0a275aec70bf04fb5e3b82a046c636492142c3637f56785a

C:\Users\Admin\AppData\Local\Temp\Quasare.exe

MD5 0ff35d7798741aea293c375c71843c37
SHA1 798dd1f2b843978274596e64d572df3897c94749
SHA256 7074b254b78967294f590b13f95841c34ffad77517ceda7c6335f32efdb87f36
SHA512 971a94629de6044fc8eb6a061c760e48c2eb00c4752f55802351b5b8c646f42439ad6031ca85500f0a275aec70bf04fb5e3b82a046c636492142c3637f56785a

C:\Users\Admin\AppData\Local\Temp\Quasare.exe

MD5 0ff35d7798741aea293c375c71843c37
SHA1 798dd1f2b843978274596e64d572df3897c94749
SHA256 7074b254b78967294f590b13f95841c34ffad77517ceda7c6335f32efdb87f36
SHA512 971a94629de6044fc8eb6a061c760e48c2eb00c4752f55802351b5b8c646f42439ad6031ca85500f0a275aec70bf04fb5e3b82a046c636492142c3637f56785a

memory/4064-1141-0x0000000000400000-0x0000000000432000-memory.dmp

memory/1300-1143-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/1300-1144-0x00000000003B0000-0x00000000003B8000-memory.dmp

memory/4064-1145-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/4064-1146-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/4692-1147-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/1300-1592-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/4064-1667-0x0000000074930000-0x00000000750E0000-memory.dmp

C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/4064-1965-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/1300-2136-0x0000000004C10000-0x0000000004C20000-memory.dmp

memory/1300-2316-0x0000000004C10000-0x0000000004C20000-memory.dmp

memory/1300-2314-0x0000000005DF0000-0x0000000005DF1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/1500-2333-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/1500-2334-0x0000000005110000-0x0000000005120000-memory.dmp

memory/1500-2336-0x0000000005110000-0x0000000005120000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5b506af502cc4ed2a97e3de413bd364b
SHA1 4f594c858fd821d875e4b26bcb6f827e720fa9b9
SHA256 8fe0859c10bf7ef449f57a93f8431bf233450e08ff44f01c407c52f9a7acff2b
SHA512 35495d95bd92fb51601c641e631b30b1e4771852bfd45c55836724d14ba1e0f0cef3cb69ede073712a679bacb45b66d496d4abdef21d14e9862be58d42f7ee9f

memory/1500-2355-0x0000000005110000-0x0000000005120000-memory.dmp

memory/1500-2359-0x000000007F4D0000-0x000000007F4E0000-memory.dmp

memory/1500-2360-0x000000006F410000-0x000000006F45C000-memory.dmp

memory/1500-2382-0x0000000074930000-0x00000000750E0000-memory.dmp

C:\Users\Admin\AppData\Local\1e0d829da74e11f34033286c1ce1636b\Admin@BIHQJRXS_en-US\System\Process.txt

MD5 c9c1e706a0068ceb98df750c066be210
SHA1 93f462e5c7b34b909c39e4c70409da309b7fe5a6
SHA256 870690a18b43c5c6002efa2973e56bad99a4aa342e88aaf3df14c0e707875043
SHA512 6b1fcf981e37c23301c75e3f21ab165ca9babf44fd4bfe23fb9100b5563c72cefa6ff03cb4894d0352581c253c9adfaa58bc97a868f58ade7515d55f6721f19a

memory/4064-2404-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/1300-2403-0x0000000004C10000-0x0000000004C20000-memory.dmp

memory/4064-2408-0x00000000067E0000-0x00000000067EA000-memory.dmp

C:\Users\Admin\AppData\Local\4e1bfbbe75e0995c0042f5060ad2363f\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/4064-2414-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/4064-2415-0x0000000005E30000-0x0000000005E42000-memory.dmp

memory/1300-2443-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/4088-2445-0x0000000074930000-0x00000000750E0000-memory.dmp

memory/4088-2444-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4088-2446-0x0000000005210000-0x0000000005220000-memory.dmp

memory/4088-2447-0x0000000006210000-0x0000000006222000-memory.dmp

memory/4088-2448-0x0000000006650000-0x000000000668C000-memory.dmp

memory/4088-2450-0x0000000074930000-0x00000000750E0000-memory.dmp