Analysis
-
max time kernel
1799s -
max time network
1691s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2023 15:16
Static task
static1
Behavioral task
behavioral1
Sample
dream_TradingCard (3).jpg
Resource
win7-20231201-en
General
-
Target
dream_TradingCard (3).jpg
-
Size
315KB
-
MD5
db656096fb43707d3715a81082c26329
-
SHA1
0b9a7e9fb083fbfe3f1737cb4d29fdbd09e16f28
-
SHA256
b76679275457665ff82c8fc110933f860ff555280420c81c76dc2328110da6d6
-
SHA512
32b4b00418adb25ee223150ef2a6d07c439fe71823dd5663420061742b86038bbc5c58bbbfa9f1ae9f3c78b2ba1acf9562cc7a41ce84813f6fd173fd58e4a564
-
SSDEEP
6144:8eXNKLQECzuNZXZoHs7A4M5i4GpNSICyVqW4qk9mjGxRQfqEALKrC:r9KL3CqNZXHPMQpF74qkbTQiHLB
Malware Config
Extracted
quasar
1.4.1
Office04
10.127.0.135:4782
14340f65-9950-4e4b-8350-0ad336406252
-
encryption_key
A2C73B9484F3A2B93B5E62BE3BE1D153A827BE62
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
SystemShell
-
subdirectory
SubDir
Signatures
-
Quasar payload 8 IoCs
resource yara_rule behavioral2/memory/4032-407-0x000001DA0F620000-0x000001DA0F758000-memory.dmp family_quasar behavioral2/memory/4032-410-0x000001DA0FB60000-0x000001DA0FB76000-memory.dmp family_quasar behavioral2/files/0x000600000001e5ab-642.dat family_quasar behavioral2/files/0x000600000001e5ab-643.dat family_quasar behavioral2/memory/776-645-0x0000000000C40000-0x0000000000F64000-memory.dmp family_quasar behavioral2/files/0x0002000000020ab4-650.dat family_quasar behavioral2/files/0x0002000000020ab4-652.dat family_quasar behavioral2/files/0x000600000001e5ab-656.dat family_quasar -
Executes dropped EXE 3 IoCs
pid Process 776 Client-built.exe 4244 Client.exe 5416 Client-built.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\SubDir\Client.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir Client-built.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File created C:\Windows\system32\SubDir\Client.exe Client-built.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1720 schtasks.exe 4300 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 5932 ipconfig.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff Quasar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff Quasar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 Quasar.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2037190880-819243489-950462038-1000\{223C7C70-2D82-4223-8034-3F14F2137892} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\NodeSlot = "4" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = 00000000ffffffff Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5184 explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4844 msedge.exe 4844 msedge.exe 1812 msedge.exe 1812 msedge.exe 5408 identity_helper.exe 5408 identity_helper.exe 5932 msedge.exe 5932 msedge.exe 3880 msedge.exe 3880 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 4032 Quasar.exe 5184 explorer.exe 2868 Quasar.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 652 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 4032 Quasar.exe Token: SeDebugPrivilege 2712 Quasar.exe Token: SeDebugPrivilege 5984 Quasar.exe Token: SeDebugPrivilege 776 Client-built.exe Token: SeDebugPrivilege 4244 Client.exe Token: SeDebugPrivilege 5416 Client-built.exe Token: SeDebugPrivilege 2868 Quasar.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 4032 Quasar.exe 2712 Quasar.exe 2712 Quasar.exe 4032 Quasar.exe 5984 Quasar.exe 5984 Quasar.exe 4244 Client.exe 2868 Quasar.exe 2868 Quasar.exe -
Suspicious use of SendNotifyMessage 33 IoCs
pid Process 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 1812 msedge.exe 4032 Quasar.exe 2712 Quasar.exe 2712 Quasar.exe 4032 Quasar.exe 5984 Quasar.exe 5984 Quasar.exe 4244 Client.exe 2868 Quasar.exe 2868 Quasar.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 4032 Quasar.exe 4032 Quasar.exe 4032 Quasar.exe 4032 Quasar.exe 5184 explorer.exe 5184 explorer.exe 4032 Quasar.exe 4032 Quasar.exe 4244 Client.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1812 wrote to memory of 412 1812 msedge.exe 93 PID 1812 wrote to memory of 412 1812 msedge.exe 93 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4756 1812 msedge.exe 94 PID 1812 wrote to memory of 4844 1812 msedge.exe 95 PID 1812 wrote to memory of 4844 1812 msedge.exe 95 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 PID 1812 wrote to memory of 5016 1812 msedge.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\dream_TradingCard (3).jpg"1⤵PID:2364
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9193646f8,0x7ff919364708,0x7ff9193647182⤵PID:412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:22⤵PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:82⤵PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:2608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵PID:4628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:12⤵PID:8
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:82⤵PID:5392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:12⤵PID:732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:12⤵PID:764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2228 /prefetch:12⤵PID:3652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:12⤵PID:5820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵PID:5588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5828 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5532 /prefetch:82⤵PID:5840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:12⤵PID:6116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:12⤵PID:5784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2228 /prefetch:12⤵PID:6032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:12⤵PID:5628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6192 /prefetch:82⤵PID:3356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6524 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3340
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4588
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3700
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:764
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4032 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"2⤵PID:4832
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5184 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtAddPFX C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p122⤵PID:3264
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:6064
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
PID:5932
-
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2712
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5984
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:776 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SystemShell" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:1720
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4244 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "SystemShell" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4300
-
-
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5416
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtAddPFX C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p121⤵PID:3128
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5e07c3925c4e8b60a8ea6300a1437ef3a
SHA1101e086eed0ac5cde21219343545f5042fb1cb12
SHA25698dd0707ee1844d0b0ad3f44d21c9bbfd1c135e18ea22061c9bc4e0e45736156
SHA5128ba1327624a4225082e608d9f7689796a5fdfaeb042f9870164436ff0022e94379e8b98774665e3ccc73d8cc1d3c510fbabd10f39b0f164c4fe3310570da5b8d
-
Filesize
152B
MD5e5c27b4a4d5a3c9c60ba18cb867266e3
SHA1dea55f1d4cdc831f943f4e56f4f8e9a926777600
SHA256860ed0acc83eb0096cc8911725e2c631ff879ad8c35854577651af502c4b69c9
SHA51256eda28e9c61e8081dadc220d23e7bb3320a9ba557eb7511d17a3d2836aa61f301d1d714a3d611eedd7c4b91886c790af7366b01acdb3b637f3dc4fb024f3f6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD59c86c13db22ffdb9c60338e740507c6a
SHA12eb29e2bad107dc2bd967ef777aaef77d5d53a38
SHA25605d502fe097ac253214eaaf8652fa3b6c5d0a3d4afb83786ddca176d10c0695b
SHA512f6f466184ccd7b6ab82499c19c4962f1c24e7bd9d9f32ca355f5b67edb7d44f6ae102d2baefe6e1439b3b77396a371e064ea4f15571244e3c0ccd8d81b20086c
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
784B
MD5b6ef8d01093124240f580da4dbb5086a
SHA1af8e246b9d4b7c0baf60cb137c7d2776c2490a2a
SHA2563cefead3e0321dfbe9cdc3088fbd8abfef1277ddd33be1fd8a0faba5b44d5a4c
SHA5129d816f0fdf6113e94424a92a76fcc1b6dfa1923d7544d3febde8e107449238eefa14c71b663fe0d28d7db61777c07d5966de3f6a19e707184d5784d00641a062
-
Filesize
5KB
MD52c680866191e41cd8ffd5274da671193
SHA1d9d61473bcf551016bc5d53d252d0574da9e9000
SHA256bbd753f1ac202c749cbf3830f1b3579a18ad1b2a3fc5d0005088c7a2fb6a3dd2
SHA5124c1afba3910b73d5c3c5a10d2a1776ca100e2b5549b3e09c0b158e73aa7539a9742edfcdef7eaad94922291d81d4b774f700de7fc1756bef628e554a84bbc6a5
-
Filesize
5KB
MD5601674c72ab6432255af673b850fcb6d
SHA19d966cb6e50342ecdf42788e748fa34b1d1c0550
SHA2564e55bf87d293ec916aa3acc02917c7614c91755737184347166b669c229744e8
SHA51269caa304301a860c399d1010dddf4363d78b859f0c662849ec562c30f60b7d5f392999c278efd5ac6aa560d4aaae4fc14aa20724d686611e8500bc3bd1188c84
-
Filesize
6KB
MD54858993618695a949086e34cc9513485
SHA1d68dbc2a2a3b21e0d5125065cca28c2cfa7cb0b6
SHA256771d8f331a5dbcf8d957f13fb85aa4f8d6340abbd1a48fa7f29fe64b00d8b41e
SHA51296182c7474f8ae441d090280917049fbc4b18af66d4420e39aff99871cd1ef1740f07b50574c797c194e7e20c0642f8663af690d77b48515ea3764b2184e788a
-
Filesize
5KB
MD5f857614d988720fc329022cd1d853174
SHA1977c51d89a224a54e698f5c2401922712e60e392
SHA256fb9c40badb12e3cfb61045c7645f48518cab518700552b4d944607a78670719e
SHA512cb2f02048e38c1d79ed933add07a01ef99e71a9ec710cc2d3c2a6e9a840aae6cdd6226173debe6209ee441235f69063f0fe702d5eaa26f181ce54ca73edf0680
-
Filesize
24KB
MD5e30738d93d6789672ce8e1c4bfe275a8
SHA1ce2195ec1f2e3830b9a106a9dc8d7fa5397d10fc
SHA2567d60046d1238ff11bdf616d83c212ad6866a7cc630ee9be8580050dee7f74832
SHA512e39c9590f558477a1b823de555bf27542a725566d8bd839a1c493459444d49d755445d8ff34f59681ede12a8e654c5a7fc34b6008c9abcfd65d09f6b1b523a65
-
Filesize
1KB
MD588de2fb63d4206477749f5267a619938
SHA1414d256d6a3c872ade35d46a0d99abba8484b520
SHA256398c5ef7f3536324af021761d8f9b88967b38be3f8fa30cf58ea70551640e483
SHA512f9336cd91a78f9d93f4af2eedf0c83f57ae711cfd26854721b9a99bc46d0121f0112ec66c3a8c67b519669f724db7cf7e896d653e16d4c1caa214e4727a5814e
-
Filesize
1KB
MD507a2bd3ee7ee4d4b0657453738f01143
SHA19da5251519ea345365877c04f28e925f5708c564
SHA2568d07a09396965cc231af5faed2f057842a68c5116fcecfdf7e60b9d2e6c2c30c
SHA5129aec4206c60977986ff7aa78c2e46fd07bb54e279d739b61b222e6db00ce7ea8924dbcabedee218c185e7af6cb897ffe85053ede4ea6f8807cf98ae20a4f31d7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5bfedf7a990c614b1d6ba797edfec858f
SHA13ef3806424a7c468fbce915425e57bd3cd11a86b
SHA2566f9cb6d4a636c4793f20d72653005e2e1b0b9d50094cb91193efb9e6dc52dd41
SHA5128178ae744cc05359a2d460311c64314d3a42730a1958264126e1c1891b343669797606ad303f73a332ee3dee67a1e33e8585222fb7e00a68ce42786fc540cbb0
-
Filesize
10KB
MD5325494bf6ddd22186090bd03431f880e
SHA1bf9ff425f9c5e96b52a06611ef197e8138fbc875
SHA256fe4c130a1ea56f60f361071cf104d92b7b8c4738e7971d7e9c1156c01a14cc15
SHA5125ad7bd29c11dd28e723506124f9463ea0bcbc135e4a9569bcc1581e1b05ce13116b5f36df108e3c2e17aa6752ee676d80c29baaec93d65c0cff25e41807ca55a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2037190880-819243489-950462038-1000\7458e761378f037c3876e5f758c99c96_35514afb-ef24-48fa-8662-3709156a3dd3
Filesize3KB
MD546219c1fcf707aea671af71ca1192130
SHA181b5beffde2d3b1cc026e52d195e44f369960cc9
SHA2561905919490282158abbfe54762d5e1bc7ab64edb03b4f75ecb541615151642dc
SHA512ec33d8f8ba87272cb432739824f3abc360d2be969d02d4cf6c4c46f7edfc7198a7d57c077f645c40592d34e966a5e553c159e7d5e4dc891159e001592d7e1ced
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2037190880-819243489-950462038-1000\cf14ba5cbdcd2150f058a146d1c9f188_35514afb-ef24-48fa-8662-3709156a3dd3
Filesize3KB
MD5524e3d1096a630bcd1e7895034a19f00
SHA1f4677c2040bd71ad928fc57a3204063e6ae01332
SHA256c0a66345056e5540589cd0abe634246349b518ee79aa8cdf8dc411ee0c9cc242
SHA5122879b1451d49c9f4de704c9ac363e4c21dd2cf85053368f235b46e21418796ef4b81dc749ecd1c7e8960f18d4756ad6f190f69819eb09e377c4b38245f8779d0
-
Filesize
1.5MB
MD57420a4094de8f85ed0e8d54bd169706a
SHA1e3b9dc5052b11c4b85e5ed738e03b28d629501ab
SHA256a124c6ec9cf80806f93f53e1642ce0d103eda8573989547e759c104a7adc6b46
SHA512559ae981dec35f611356e720f7bfc71a83070cf5467eb94cf1662af3473aab3fcdb4039ca5ebc0b55cc864070559de017709c9ebcd10c45a241654d13928b60c
-
Filesize
2.6MB
MD5d30b83058acbcdd7d9ee4eba0bef74c5
SHA16fafd8d40d0da37aaa294d3781522838be1b8c1a
SHA25627ef0c502a2fdc5e04d226ee931a55f50ae398af2b52560ffcd63f96a2bb80cf
SHA5124ab647bd46f7fbfec4ca2f7608a574659992e7db94795333b90df4f2e3de9043c09dc30d6a2768981bb16728f46d2edebb658cd37b048a095b43260e9bd3c289
-
Filesize
2.6MB
MD5d971e0808c073882348af05d706eef77
SHA10b4f84e016cdb2e3178229b2cbca88076fe89c63
SHA2564f484d6aee58371249f6da4bed0355898ceb6ce7f6b2b944bd0b51e91bff460d
SHA51294f64a9ac40a9ccff1f2aaa1eddef3a7a6b6945be0256fea3714df13e16a9fdfaa42b39a43bc841e2169fdd43db7be124e0e4ebc403d346e9fcf67c0b9a91f8d
-
Filesize
3.0MB
MD5602c27df6c369b2ec1fad3021420c5b7
SHA15cd0e1426e194299df4d1377060e0b148213d0bc
SHA256ddc869ca514f497d89e629021f161abf069942bfd66fb6cbd05090267e93b518
SHA512d3008af83b09374dbb3f652eee901a59def9399baea1e6db40ecab9f9f60c9494021ff33d6fc421f56ad4fe3c931fbe5d79842eff970922778f7d123e2107368
-
Filesize
1011B
MD589e111942b5b2963d5df306e8fde1db0
SHA15183193ded73ccaffbb0268899bcae9024f8fae4
SHA256ad1e0ebd483c4e62b07e6a814e59f888246046e2a57cbfec5196754cc0f3e0d9
SHA5126ceeebd46423395068399649e115962e286b5f24f60ac689359df5e7a35797e5b07b75d1d71b468e6a4e6f53af5b127b0fbc0a4a0fc42fa8db0c7dd3871e2e47
-
Filesize
4KB
MD589162a296cde6d2a65d1635193f0be45
SHA1795f2e9ac3aa50648633b0e4321dda8f7ce340c0
SHA256c873797c0f3f6f062b15b4202cc73e549d2afc37708eb740fc8f12d2a3936f33
SHA5122def3c712a1fc0974d7ce7b5335c94fce727708785c9b8e1ad0428b928515737c61b2c75d51a61eddab57fc8d4c3020ee728f2eb3f4fe21acb253686d28e8d3c
-
Filesize
406B
MD5c82d7a10fc3d28db9ced285da845b675
SHA16efc4ce5b173f2d21d9ea3db192ec80697b1d8dc
SHA256a15318198806ff22f5437996a15e1bc4db0cc19db1f096f4a6b81010efec7c6d
SHA512e2e42d1ef92ba2caf8b2a0fc32c6ea6784c4b0ea4e17812ceacf8d5612fba74dcdcdee582b5a8a16e25d5538c09ca1772344a038b0441b73837742e376cd9297
-
Filesize
1.8MB
MD5331d7cce7d22db9332047e99499137da
SHA19cab5e4ada8ed2ce87a5956042497b223b9ab468
SHA2567e1919518d0d3e0ea0f26f62879333bd88bb933a66473c8142d8f3a39fac600f
SHA512a8c7586b9a580f9f07a8a7c4b4dce99cdc17869ad23cf5594d5844a5aca1c390cbff58bd2a43fcdba83ce8e9055c3f544ba9474ec8f55d14b9e082356c447841
-
Filesize
1.4MB
MD526cf4a99858e3d5a3f26952490b4444e
SHA1dded2c521d8fb1733829cf4767e39c3352b2393b
SHA25650a78fb3e115a56ab3e604aa7ed0ede22c279f3a234068b571b611ad9a6bf839
SHA512736052798785670d4779a786a1cd7e8fb55d6348f4d6629c0497f95b6959019c3e878ce63b14ed9d4b6436a5f13d686dfc6c4147b1a08e109a93fa360b3f9332