Analysis
-
max time kernel
1734s -
max time network
1699s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
15-12-2023 08:12
Static task
static1
Behavioral task
behavioral1
Sample
dream_TradingCard (4).jpg
Resource
win7-20231020-en
General
-
Target
dream_TradingCard (4).jpg
-
Size
294KB
-
MD5
fdf2dca307fc564105fa4fc1e1bddf84
-
SHA1
e2b530fa74d7402bcf01754b05c17554e95ba84e
-
SHA256
244b20fc9114e2434daded7633dbdd44e625fa9cdcd326b2449e80fbe141cf5b
-
SHA512
a9f0605a42c4e3584696465d1cdb3c8f68b79463492b8bb998aef68709070ad836519dd291f4c3f674a6fd63212bba9966b1a23dfd1b756818a872345ed539b0
-
SSDEEP
6144:Dcn8Z/B7Ho3FUG6JHaNEBPK620wPYa4t2OOhBrEtpRTPjLIzHoDadpnvr1ZtQS:DJn7Ho3FdIaSFZ20cYa4LmBoRTYToDsh
Malware Config
Extracted
quasar
1.4.1
Office04
10.127.1.19:4782
153727a8-3e08-46a6-9c31-e40905d675a5
-
encryption_key
FA4416FD9C12C4F5A074C55DAFAC352262E03C63
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Java Updater
-
subdirectory
SubDir
Signatures
-
Quasar payload 4 IoCs
resource yara_rule behavioral2/memory/5764-586-0x00000246E8050000-0x00000246E8188000-memory.dmp family_quasar behavioral2/memory/5764-589-0x00000246E9D30000-0x00000246E9D46000-memory.dmp family_quasar behavioral2/files/0x000700000001da9d-651.dat family_quasar behavioral2/memory/5128-728-0x0000000000560000-0x0000000000884000-memory.dmp family_quasar -
Executes dropped EXE 2 IoCs
pid Process 5128 Client-built.exe 1156 Client.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\system32\SubDir\Client.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir Client-built.exe File opened for modification C:\Windows\system32\SubDir Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4356 schtasks.exe 2392 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 5896 ipconfig.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings Quasar.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 Quasar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "5" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0 = 66003100000000008f57134210005155415341527e312e3100004c0009000400efbe8f57ee418f5713422e00000011330200000007000000000000000000000000000000ba3819015100750061007300610072002000760031002e0034002e00310000001a000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Quasar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 = 66003100000000008f57ee4110005155415341527e312e3100004c0009000400efbe8f57ee418f57ee412e00000023310200000007000000000000000000000000000000b2c6e2005100750061007300610072002e00760031002e0034002e00310000001a000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 Quasar.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 50003100000000007b57b591100041646d696e003c0009000400efbe7b57968b8f57a9412e0000007de10100000001000000000000000000000000000000a5cac600410064006d0069006e00000014000000 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4960 explorer.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2848 msedge.exe 2848 msedge.exe 2008 msedge.exe 2008 msedge.exe 4364 identity_helper.exe 4364 identity_helper.exe 5704 msedge.exe 5704 msedge.exe 5936 msedge.exe 5936 msedge.exe 972 msedge.exe 972 msedge.exe 972 msedge.exe 972 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3684 Quasar.exe 4960 explorer.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 5764 Quasar.exe Token: SeDebugPrivilege 3684 Quasar.exe Token: SeDebugPrivilege 5128 Client-built.exe Token: SeDebugPrivilege 1156 Client.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
pid Process 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 5764 Quasar.exe 3684 Quasar.exe -
Suspicious use of SendNotifyMessage 28 IoCs
pid Process 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 2848 msedge.exe 5764 Quasar.exe 3684 Quasar.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 4960 explorer.exe 4960 explorer.exe 3684 Quasar.exe 4960 explorer.exe 4960 explorer.exe 4960 explorer.exe 4960 explorer.exe 1156 Client.exe 4960 explorer.exe 4960 explorer.exe 4960 explorer.exe 4960 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2540 2848 msedge.exe 110 PID 2848 wrote to memory of 2540 2848 msedge.exe 110 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 452 2848 msedge.exe 112 PID 2848 wrote to memory of 2008 2848 msedge.exe 111 PID 2848 wrote to memory of 2008 2848 msedge.exe 111 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 PID 2848 wrote to memory of 3336 2848 msedge.exe 113 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\dream_TradingCard (4).jpg"1⤵PID:3160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffacb6a46f8,0x7ffacb6a4708,0x7ffacb6a47182⤵PID:2540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1948 /prefetch:22⤵PID:452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵PID:3336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:1992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:12⤵PID:3572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:82⤵PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:12⤵PID:3180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵PID:5420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5536 /prefetch:82⤵PID:5696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5448 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵PID:6056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:12⤵PID:5568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵PID:5616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:12⤵PID:5624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:12⤵PID:5844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:12⤵PID:5860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:5396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:12⤵PID:5392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6596 /prefetch:82⤵PID:2180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:12⤵PID:5384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6604 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2728 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:972
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1944
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1640
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2444
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5764 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"2⤵PID:5520
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4960 -
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3684
-
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:5128 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2392
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1156 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
PID:4356
-
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:3568
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
PID:5896
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ef2ab50a3d368243b8203ac219278a5d
SHA12d154d63c4371354ff607656a4d94bc3734658a9
SHA2562e2faf2873e0b8d58788da8603acdd772642a396fff661c4e32f8a581362cbdf
SHA5124533997bf4070f99306337b8ff553691d4cf1d1b53401628524ad4dc9d29bd0536a3f2df4ecdd0a8afa81b7f917f40524c9a1898b566ee499a358abc5c84b27a
-
Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
Filesize
69KB
MD5c33c3755c9bc5c370e51bd72a524da35
SHA17b4d2ef2b5e0188562afcd4c87060a809a7d2919
SHA256e30aeba2b555fe999989e290128024451d7b1bccd13060ce16990a39937a3113
SHA5127c656b1f7e9806208c87b1f22d27f07f400c5bdd3fd258056a4046c7999d4f83f6c473800b09e36450eff9ff9dd86d045eedead515aeb4bdb55e9d9889e90de5
-
Filesize
23KB
MD5de49e39687e06cc5533b84d3a37b861f
SHA18c2c09b8f17e5c6bc20dd050ee7a88ab23f93e55
SHA25673c2a51f287192796dc8e6e33ed40cb8427bd6d9d4088ced267052c6be90f416
SHA512446f81670ba584787ec54a183df4c419ccc0f48ea6a25b35b2bab0a07e29c85a66d3a41d1016fdaf00cbafed6e4b932c8747400896f99f7d7a23c6d526a93664
-
Filesize
19KB
MD576a3f1e9a452564e0f8dce6c0ee111e8
SHA111c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
85KB
MD545a177b92bc3dac4f6955a68b5b21745
SHA1eac969dc4f81a857fdd380b3e9c0963d8d5b87d1
SHA2562db3b6356f027b2185f1ca4bc6b53e64e428201e70e94d1977f8aab9b24afaeb
SHA512f6a599340db91e2a4f48babd5f5939f87b907a66a82609347f53381e8712069c3002596156de79650511c644a287cbd8c607be0f877a918ae1392456d76b90ca
-
Filesize
1015KB
MD5aaa3bfbfb2e4d619eed90ea229e3b8d4
SHA1dbb45e2e5ef5025a2c02ae7456525b968bf74335
SHA256fa84161b327968256f1bce5d0383b121466152cd16f94ae19d9d9c07b29906b8
SHA51265bef3e0893b3ddc2861b2908e8b5497848b165e01a4fc10e2440d62855486dbdad575342b771e56c8b0be564320b676fe6716cfa6e13958b6b955b52c88d88d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD55fd84f8f80b6a9c778a427926b422c34
SHA17b9f8b6e4c35f9f2f743511cd07f85f81564e705
SHA2568a1c91b68e135765db39d41dcdcb750ca2986f589e4f3ebe0549a363d6fd17fb
SHA512cc0ea1fcf4b4180ad163d694430325ae62aebe3b2828e4f533101dc1123efaff00b0bfe8c3c6903174dcfe7c160ac30194da99de7ba30f7660815510b7d628ec
-
Filesize
784B
MD5c17cb606ac94aa5755438f741d510a40
SHA184cab38d22373279459720e85895e92009ce1113
SHA2561b7badec443e636b9b8db82872e1973f9c945649551796a994d54015c4616995
SHA5128fc0e6afbc8c2cbaa03091a03e7b9b5de11fa7a2b2457ed502b741140b19c575087ada9f2837a5a85df482397d2d6de445781960a71ed6cf4f10b5918aed2980
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD59825c4e0409ce0cabf069928a8e33d12
SHA108e9f0d10df4369f79c556a068ae04920ea9b922
SHA256789ddef68177e6a36f7b48b1ed2dedf28360987322fc225e60cef1baa159aaef
SHA5125b2abc5fde079dd5593ec11b69e39685b3a128dba26678533e9109c8c23cab553a68b2f8052334d0a4d5546412f778ebd86bda814ca6e7346e9147c04d158542
-
Filesize
6KB
MD563948d02352358c73a80d767c9b24d7f
SHA12bc2da43fb996b9a7e69bb4a1e52afe606ff88ac
SHA256a148e3949d6cb38888c19c2c0b02944a546088596f35001399ab29a1ac54ee53
SHA512aabe523f0cd77c052fb67ab84230ca7d1a0dc96b22bb33995f6cf3e2aabbb0ad48c4dc72cc4b0baa4fbd3b5fe7c5e3a0d9e4b7d21d8028a05c2d0d3c4d10a5b8
-
Filesize
6KB
MD58a4bbc009cfa01d034ff668977261287
SHA13220d22972cf5aabe5ecf87a739c3baffb271482
SHA25610575c7c06e87896188ec532c7713e1c027c27039f8f9b31c610b1a0e5da5965
SHA5122a6e51d92bc7fcef69d989f5b7654bea9a951df58e7f180ccf8c700d582bec94f51a1a799a35e3ddcecbffa0502fa88acd03c4ba1ad572b65197e6037ca7aa14
-
Filesize
6KB
MD5d536e2b9cb48a4690b0d277ebf24c4a1
SHA117ca91f0d66b46c4db2616aae64de581b41a26ce
SHA256964ed6cb3949bcd31e96b4dc661e232d0c7fa290327aa57f84456227ad68a73d
SHA512f47ccede65fcdfe7fc4a33244a6cb78e4ac5110925d63796e52ce2a38b23e7f7194de61ff7ebc132f48f6005d83d1a464a01c676c76e4625496f4ee21cf7cec1
-
Filesize
5KB
MD5a0f1b7205e4eeb1a292e48c4d9e2222a
SHA1de7024be766981eb2ad7ff983218534cd15edb0c
SHA25619c6be7aa8b68e05d15a517a07f225a743e7434d6cfc60e03bf2776b797ddf49
SHA512428f07496ce3da0231dc20ebc4d4b69c9a8c88a13acfdd40318160cce5ecb9304723e4c9989bf636b665e964bcce1655e9003aa04ce8a645c01ebedf868efe02
-
Filesize
24KB
MD5bf38e67347aea6d520cda5fde321a1e5
SHA10e7a8def4c923201d76b41dfa9918bb1052827ea
SHA2560f0744f36e30e64949c41835aa5666f25c1ab4f3636d9247b8350fd8ad4f8025
SHA512f62478dd4e38c6bef2bfc24f46caa03840613711e2b6fda2aad707df5cbd33b25af4fc3954521e203b981c4a10e5c8fd2520cabc16cdad858eed819b45a6f366
-
Filesize
1KB
MD52749699fbcaf5f3e5b4cde15931b9a38
SHA13b3c0bb36eef925f44f8bbad580eda203dd1f0d1
SHA2564e7b17a1d6711fc62c84192c502193970fd678d3727bf548a3186c69eefb7db4
SHA512baa81e720d5c7636cc7ec3e5eba48d13f7ac863d1f70fea4cfbafb2fc4f0504bdf00761f229013b011bc442c96b979a815ed907eba3e0a2499c9aa9806763151
-
Filesize
1KB
MD5c93ff6eb596412cf569353262da8d030
SHA13db9e126304596d854c6a42b8849c8dfb9e5d4b7
SHA256aa2e206fd50bafcc43c9594a747a5df3070e0c1468f78d02b261179d2248a070
SHA5123a5abb3b54662cdfcd7b512519c40748898cea5b18f95ae3d9bd697b224023b6f63e4e768ae8fdfa285daea2b2362f0e0890038d2acc2c5ce766662b92f21893
-
Filesize
1KB
MD572b8f604c40e19f8ac4d611846dacd00
SHA16cd1d053f448ba01d52cd81783b534bf34fbc013
SHA256d581efb7087c65e3ea55cbfc1a86c7516e379d6b1b80dbca1603ce2c67200f05
SHA5129b0e097d9e16b9c2c0da627d42e2ce3940ba3031fc40d7f30f6c21356e096fe14fd2bbb3d8e0e13b363e73fc0a7770789a4e6ae1d1d1181c1acb95731c5b4a66
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD50c6150644fb705b27ab20774a1e1d922
SHA112b4675eee5735053784394ba6d2b98337837aee
SHA256a0b5a4cea7083f3711df8e21456272da96edef2bb6bde3750591b09cc3a76ce3
SHA5120f57732795b7aaf6938cf3b06166872b14bddf4328b4b7f5d2449876e7f16b8d40e731b684f1772dfa8d4ffaaf06a40407fe29adb22dcb4f36c5289affce26be
-
Filesize
10KB
MD5cd8f1985daa93edc98cac3583f97a946
SHA13955fb69aff49d048fce85686fd8dfc2c6036596
SHA256c33531cb9d0f044df2bbf5a61d2161b997a84d08f5240c0ea2db7f9015a28ff3
SHA5123d572d7f4e24b8f47d3d58a6c85c0d01f8b029742dd30ec328c9732de9edaa93796f61d1a562d80abe812d4db6777794fcb55d6b84e6b6840e73e9ab65888706
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1067295379-1486014338-1703171060-1000\f3e5e21d93f7d775339efc995a776feb_e1378635-0580-4c5a-a4c4-bfb7e4f637be
Filesize3KB
MD5a6d11d463fa2a2629828a8fe4090a980
SHA107e519abc8110189b6c9eaa97326f74dd870b485
SHA2566869f91da7da8061853defd516dd3e6bf13398c46f1d615ff7c1ed6704a7a352
SHA5122abe72e464f5b4e8154ce4493b51e7faed1727afab8287e63addbf44de1e32fbf10c4c9a043a4bdffe623ad975bf476740c5fc3e673756fc1fffa781075704e0
-
Filesize
3.1MB
MD59308f453ad0600d606afe45d6c7d221c
SHA1338a7df52851aa8ad461269e8f6d1f33377f74c7
SHA256746c86f7ad2c05960ff79be17c8d99ce94dfccddd9a5b89def70ef849c0c2b7f
SHA512c241e7586862d3ea83b5d0ff446dee96bc856c6df14a542ddaa9c2ec9143fb8b1b0f0511ee45fb2364eb15701dd150532d25bf2f2659a78a765c86f9e4473963
-
Filesize
1011B
MD5d7d4dda022346822b86235649688eab3
SHA1c1c2af37d24f277c617f0b15384ee82775fb6873
SHA2569a5191b14f3adc3fbf259b8522aabd33a7641ddf836f786e8279c9dc956d772d
SHA51287988db2e6178f9f78bd4620a1b2547b5f691f59efd57d54e98cc339bc2f99313a795c15e444aee521a13bcc5498db16146c24713d6fcf4b4f98cdb7b071b7b0
-
Filesize
4KB
MD58d218e424f9498869160c204e32e31fb
SHA122e7fcd8b3c701a1465cd7bcc647f8d70d6026c0
SHA256961a9c1fbaa5360d30e5d01cb94f8c3df9995d82fe7f024b3fad28bcc2513f4e
SHA5125481b73afdf1a918f40221258cf8f8039880c15cf2c2b88f01148f41560d421c86004486fc978cc4bf03d8d633c86336d19bec77c4ffb1100c5433ca9087e6f6
-
Filesize
371B
MD54080ac8ca23a2589f3a557e0bc8a3558
SHA138656168dcade5d44a4fe4d7fb695033d8627f9c
SHA256211e8c50f375a72700b8674f692e895d17583cf93f774197e5dc45dbc17694ed
SHA512416c6fe67190aaf0fa40e5ff8d2ed28ae1e5cd81b0976e696a585b80b44b92b9b86f340bb865a75e1fc93bfdbe974f10ef1ebc95fca338b901d5cc748f8676bc
-
Filesize
3.3MB
MD513aa4bf4f5ed1ac503c69470b1ede5c1
SHA1c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00
SHA2564cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62
SHA512767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d