Malware Analysis Report

2025-06-16 05:31

Sample ID 240315-fjqlhsgf7w
Target Quasar.v1.4.1.zip
SHA256 4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62
Tags
quasar
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62

Threat Level: Known bad

The file Quasar.v1.4.1.zip was found to be: Known bad.

Malicious Activity Summary

quasar

Quasar payload

Quasar family

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-15 04:54

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:16

Platform

win10v2004-20240226-en

Max time kernel

450s

Max time network

451s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Gma.System.MouseKeyHook.dll",#1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Gma.System.MouseKeyHook.dll",#1

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 199.111.78.13.in-addr.arpa udp

Files

memory/2628-0-0x0000024C0A640000-0x0000024C0A650000-memory.dmp

memory/2628-16-0x0000024C0A740000-0x0000024C0A750000-memory.dmp

memory/2628-32-0x0000024C12A20000-0x0000024C12A21000-memory.dmp

memory/2628-34-0x0000024C12A50000-0x0000024C12A51000-memory.dmp

memory/2628-35-0x0000024C12A50000-0x0000024C12A51000-memory.dmp

memory/2628-36-0x0000024C12B60000-0x0000024C12B61000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:13

Platform

win7-20240215-en

Max time kernel

361s

Max time network

362s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\SilkIcons_license.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\SilkIcons_license.txt"

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:15

Platform

win7-20240215-en

Max time kernel

357s

Max time network

358s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\protobuf-net_license.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\protobuf-net_license.txt"

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:15

Platform

win7-20240221-en

Max time kernel

359s

Max time network

359s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\BouncyCastle.Crypto.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\BouncyCastle.Crypto.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:15

Platform

win7-20240221-en

Max time kernel

361s

Max time network

364s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Gma.System.MouseKeyHook.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Gma.System.MouseKeyHook.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:08

Platform

win10v2004-20240226-en

Max time kernel

454s

Max time network

455s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\Mono.Cecil_license.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\Mono.Cecil_license.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:09

Platform

win10v2004-20240226-en

Max time kernel

527s

Max time network

444s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\Open.Nat_license.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\Open.Nat_license.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:18

Platform

win7-20240215-en

Max time kernel

361s

Max time network

362s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Mono.Cecil.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Mono.Cecil.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:18

Platform

win10v2004-20240226-en

Max time kernel

444s

Max time network

449s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Mono.Cecil.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Mono.Cecil.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:09

Platform

win7-20240221-en

Max time kernel

359s

Max time network

363s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\ResourceLib_license.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\ResourceLib_license.txt"

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:16

Platform

win7-20240220-en

Max time kernel

359s

Max time network

360s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\LICENSE"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\LICENSE"

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:17

Platform

win10v2004-20240226-en

Max time kernel

541s

Max time network

588s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Mono.Cecil.Pdb.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Mono.Cecil.Pdb.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:05

Platform

win10v2004-20231215-en

Max time kernel

572s

Max time network

572s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Quasar.v1.4.1.zip

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Quasar.v1.4.1.zip

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/4596-0-0x0000022B7C880000-0x0000022B7C890000-memory.dmp

memory/4596-16-0x0000022B7C980000-0x0000022B7C990000-memory.dmp

memory/4596-32-0x0000022B7CCF0000-0x0000022B7CCF1000-memory.dmp

memory/4596-34-0x0000022B7CD20000-0x0000022B7CD21000-memory.dmp

memory/4596-35-0x0000022B7CD20000-0x0000022B7CD21000-memory.dmp

memory/4596-36-0x0000022B7CE30000-0x0000022B7CE31000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:05

Platform

win7-20240220-en

Max time kernel

359s

Max time network

360s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\Be.HexEditor_license.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\Be.HexEditor_license.txt"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:05

Platform

win10v2004-20240226-en

Max time kernel

454s

Max time network

455s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\Be.HexEditor_license.txt"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\Be.HexEditor_license.txt"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/2040-0-0x000001388B840000-0x000001388B850000-memory.dmp

memory/2040-16-0x000001388B940000-0x000001388B950000-memory.dmp

memory/2040-32-0x0000013893CB0000-0x0000013893CB1000-memory.dmp

memory/2040-34-0x0000013893CE0000-0x0000013893CE1000-memory.dmp

memory/2040-35-0x0000013893CE0000-0x0000013893CE1000-memory.dmp

memory/2040-36-0x0000013893DF0000-0x0000013893DF1000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:16

Platform

win10v2004-20240226-en

Max time kernel

448s

Max time network

450s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\LICENSE"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\LICENSE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:16

Platform

win7-20240221-en

Max time kernel

361s

Max time network

362s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Mono.Cecil.Pdb.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Mono.Cecil.Pdb.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:17

Platform

win7-20240220-en

Max time kernel

361s

Max time network

362s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Mono.Cecil.Rocks.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Mono.Cecil.Rocks.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:17

Platform

win10v2004-20240226-en

Max time kernel

443s

Max time network

449s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Mono.Cecil.Rocks.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Mono.Cecil.Rocks.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:16

Platform

win10v2004-20240226-en

Max time kernel

452s

Max time network

454s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Mono.Cecil.Mdb.dll",#1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Mono.Cecil.Mdb.dll",#1

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/2764-0-0x0000011194140000-0x0000011194150000-memory.dmp

memory/2764-16-0x0000011194240000-0x0000011194250000-memory.dmp

memory/2764-32-0x000001119C7B0000-0x000001119C7B1000-memory.dmp

memory/2764-33-0x000001119C7E0000-0x000001119C7E1000-memory.dmp

memory/2764-34-0x000001119C7E0000-0x000001119C7E1000-memory.dmp

memory/2764-35-0x000001119C7E0000-0x000001119C7E1000-memory.dmp

memory/2764-36-0x000001119C7E0000-0x000001119C7E1000-memory.dmp

memory/2764-37-0x000001119C7E0000-0x000001119C7E1000-memory.dmp

memory/2764-38-0x000001119C7E0000-0x000001119C7E1000-memory.dmp

memory/2764-39-0x000001119C7E0000-0x000001119C7E1000-memory.dmp

memory/2764-40-0x000001119C7E0000-0x000001119C7E1000-memory.dmp

memory/2764-41-0x000001119C7E0000-0x000001119C7E1000-memory.dmp

memory/2764-42-0x000001119C7E0000-0x000001119C7E1000-memory.dmp

memory/2764-43-0x000001119C400000-0x000001119C401000-memory.dmp

memory/2764-44-0x000001119C3F0000-0x000001119C3F1000-memory.dmp

memory/2764-46-0x000001119C400000-0x000001119C401000-memory.dmp

memory/2764-49-0x000001119C3F0000-0x000001119C3F1000-memory.dmp

memory/2764-52-0x0000011193BF0000-0x0000011193BF1000-memory.dmp

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

MD5 58e9bda4ccd5804f305ee32a121011e8
SHA1 b9cb33f0eaf1fad9f2d35c5f94906e4f6090204c
SHA256 1d7fd59757c633050f442ada216e484cc703f5ad71d36812a8e79b93e4335a34
SHA512 0b22e4880c3e74e4ceefb54385a862556c45dcd1052bc9a9aefee367758af9b8fe05342ee6f77197b2e5726e0cfccfdf99fbd18161d8e3b89a3ef48b74461ca3

memory/2764-64-0x000001119C530000-0x000001119C531000-memory.dmp

memory/2764-66-0x000001119C540000-0x000001119C541000-memory.dmp

memory/2764-67-0x000001119C540000-0x000001119C541000-memory.dmp

memory/2764-68-0x000001119C650000-0x000001119C651000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:06

Platform

win7-20240221-en

Max time kernel

357s

Max time network

361s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\BouncyCastle_license.html"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40cca1329576da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D51D611-E288-11EE-B499-56D57A935C49} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007823eddbcee3e149bc4db86b21295af600000000020000000000106600000001000020000000a8cd4891749d10ae17e3f26e9c1b99c400136ceb5b01e70c71840dac7821bed4000000000e8000000002000020000000249604f710f602046a9c8e5dc7179d3bd4fd1fe947a4f06449866df0d948c70390000000de2461817e45151ff48666ef0918ba59a0606f241e693ba1a65ba782d2ca61630f4447f8d3ce0f87cef0b0ad2778cfdaac2666224110f411d5ab41a7582b9098cc7cdba1f2ddcb08c574b07df060d4568b710e0318b85b6832fcbda63d99d195a8dc0dfd165de2dcb919229eae3ea3a2d11df1e2c73ffbd09b0de653d8ea15ce265c5390877468986df86f3e45f439224000000004f03460eabbbbfdb42556d61cbe30b4407ddeff990c13e9101bad5876317dc7d12a1bda02391ba94eaf751424c35baaa345452cbf8bdecb4ddf123ba47680c6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007823eddbcee3e149bc4db86b21295af600000000020000000000106600000001000020000000a8a19f9c6255764adb157beb7765379b42adabacba8030cf63e43aed8717fd9f000000000e80000000020000200000003eb81b82e8ab809f387c31a2e4029ca39064d061c6e540126467a5406e940d57200000002fe3e2020908386a386a900d92c3c6fbc73b1545a75f594928c644b80daa79f5400000005c25b66811667b6cfa46566905f51dfb1210494ea98bd1e3403a6e40a95892aefa7041e13592207bf67502369ab72135556a75840859da15b76b741086a99a30 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416640450" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\BouncyCastle_license.html"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab5D2F.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar5E8E.tmp

MD5 6bcdfaae6ddda4c65da984caa6a0ecae
SHA1 2c8063a140c1adfae0f2912e8b200148f5d0642b
SHA256 cb4d48aecf71c4037487c5442895324eba0cb789965f6fa54b4db54fd6de7178
SHA512 918f789d7f8c448b8d7de1d9e27fb2c5589d6e78982eb1d2dc9df0729d433759b531a538040c9cbb879daa903b6ce4e513369927808fcb9b2fbb1af681c4220d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3533a86ae6b715e3d5058e61595d1e6a
SHA1 72e6463fd5b7ed01863e467ffcf6db8bf6e73390
SHA256 1e632478d1a163ce04f3e696808a133284d4a9dc14f0c684be64d4b05316459c
SHA512 37d12e8c266122d7ce30c3c1ae718da61e0833d8aaaf3675c812136f9592eec2f079b8322c6b12c4d9f126c2f27456d0738631f319fd9b399db3b58d56882f6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96569f858ddff62050da0b03a807c341
SHA1 783c486e1785b6c0e6a36278cac615f6bfb174ba
SHA256 dba2dc4f9a476ea95db516d418c43ca88f8f53edfbb0d6e65998f67bd8f94358
SHA512 13cd16218e3541b225bf75d064e71e4024e6066a0ac0f6e5922234114a47a73593916b28735efbcd7e160b1c6f99eeb5a0059a3c4b312a913e04f99d4bc1083e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e8ebe9da9c68df1f79174428728b054
SHA1 f07469685f069a240af66d15f294a8b4758fd3a4
SHA256 e06927f4aafa37ab81642a4cf8e68e4ec762e922bb2f6e574d2a91ab188c4841
SHA512 fd818f48af36e676ac702ce9931221ce5c89225cc863dc9c32e2de18a6898925fc878172797b4562c6ecf8a39887172d81fce284e7d0d3e9a4d9b0a2a1e0e114

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ab57a915fa13025a2fade6c037d393b
SHA1 bb985d70e717ceb3f0f20cba0671ea5fc796e6b8
SHA256 1a0e816250967babd904411642afed058b76e48590f0136bf93bfd0979343cdf
SHA512 16ac89f0138edc392a1030357269deda47105550a483c840185877e1f3c5ce9bd608025c29558d57c5162a716e8b85829c58de53a945479f7c486bbac9dce982

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96522acc308d0e40b55f80b03b49aa19
SHA1 6764a53b849a1f1de3caa291bb7f691fb0f65dbb
SHA256 cf3ecb7c21feeaea3342f7b2d6e74395a0182d5c2539e8eb7dabde824bd18207
SHA512 4998de9d3be09056092fcc08d2ceb314a72bcc8f36d1f110ce927bca43b55dfdeb38cde3d296504d3b79ab6856780346c2bda3ad530b979ee579fcda4124baf9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6482459108593f071f1bd321dd035f45
SHA1 452e1d2f201198d8e154fde3f492084354478c41
SHA256 381b3f9a027303e12ce010831b1049ff78e6b2309b6dc016f1b791977fdc1c81
SHA512 2fd05042a871f4570f4f6cbfb35c46309ffc97ba9fe3daf3bcbb87905594ecde1f03a1ebc9548b4f0d1be355cc29ed4dca38471b60c4269b5e409080a4497977

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cad551ca925591e77779c56f4eb740ed
SHA1 8a9074754d363710758282164a24404e4f25a04d
SHA256 a87233bd8b6bd883280d1c32e7996dae156ede59c53ba826e67f61936d2d0bc0
SHA512 4ce3eb5af9fc5f68230f43eeb079fe3453f1936e551806282c856dfa433d7009167559c8d3257f3ab9f43e3e49573079e7ffb41dd7de4b262d630d4286817ee5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33a3032ec41ce3ae5478a04d2142a459
SHA1 41a267327e3a36bafc5a9c91408fb773d35795a4
SHA256 76150042806318a73076c0627f89693680b7528b1e47faa74d0eb32791020c12
SHA512 5c4270c4671699a3b8a65cd53f981775d88fde61834e787552806350d05c92082242d01b2a0992b808a1f89c97ef68f8647e802290a31ec40f731c683a397161

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0fb5394edc738fbbd0d756ae74e3763
SHA1 d91161b6a619c4a038aa4031299eaf37c9ed8743
SHA256 ceb5421b84458e2257bba78e5ef508fe23ca52e4767514cfbeb803d746919528
SHA512 63eb5147e9121795690615e83b6508789a5522abee233ed7e4a9886b990daa7dd90824fe18090d89ec2aecc874faab521d6a4f54b73a8f83c86b2b81e099eba2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a61bbcb413f2fb8ff7f45aa65535d00a
SHA1 fbee90deb1d7b90cf03727f282037a6935c2798a
SHA256 4c2550ec66c5a138b077fefa1467849a7643862e56601d229a42172c86f9b741
SHA512 1f6a535aa7d9699b9d1b9beaca7423066a75938fa45c1298d1d751e7670fc39312b27d9954f2886bfbef74c909987d9b6587ad5ecd28c11628ac088bc944be7c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e70f850f64ffe6b5de67f122eeeaa0bc
SHA1 71440661fa9a5a3ad8c154ef5a41e3f2a4a04556
SHA256 ec29d8c828a83de5aa9850c696b1cc75d4cb0b528db3ab38fb80a6b20a8b961a
SHA512 75d83fc62884bbab60e4186a7b98bdd145a9b8fa2b7449ef383ef1849c4fdbe415f22682722e09172f490fd7f84426c81a0afb0d08739e7f6377bffd5ab4a773

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:06

Platform

win10v2004-20240226-en

Max time kernel

0s

Max time network

21s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\BouncyCastle_license.html

Signatures

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\BouncyCastle_license.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc3b9246f8,0x7ffc3b924708,0x7ffc3b924718

Network

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 279e783b0129b64a8529800a88fbf1ee
SHA1 204c62ec8cef8467e5729cad52adae293178744f
SHA256 3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932
SHA512 32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:07

Platform

win10v2004-20240226-en

Max time kernel

577s

Max time network

582s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\GlobalMouseKeyHook_license.txt"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\GlobalMouseKeyHook_license.txt"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 36.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 138.91.171.81:80 tcp

Files

memory/4120-0-0x000002AC02340000-0x000002AC02350000-memory.dmp

memory/4120-16-0x000002AC02440000-0x000002AC02450000-memory.dmp

memory/4120-32-0x000002AC0A730000-0x000002AC0A731000-memory.dmp

memory/4120-34-0x000002AC0A760000-0x000002AC0A761000-memory.dmp

memory/4120-35-0x000002AC0A760000-0x000002AC0A761000-memory.dmp

memory/4120-36-0x000002AC0A870000-0x000002AC0A871000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:07

Platform

win7-20240221-en

Max time kernel

359s

Max time network

363s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\Mono.Cecil_license.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\Mono.Cecil_license.txt"

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:09

Platform

win7-20231129-en

Max time kernel

359s

Max time network

359s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\Open.Nat_license.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\Open.Nat_license.txt"

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:15

Platform

win10v2004-20240226-en

Max time kernel

570s

Max time network

452s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\protobuf-net_license.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\protobuf-net_license.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 199.111.78.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:15

Platform

win10v2004-20240226-en

Max time kernel

444s

Max time network

446s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\BouncyCastle.Crypto.dll",#1

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\BouncyCastle.Crypto.dll",#1

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/4260-0-0x0000021660940000-0x0000021660950000-memory.dmp

memory/4260-16-0x0000021660A40000-0x0000021660A50000-memory.dmp

memory/4260-32-0x0000021668FD0000-0x0000021668FD1000-memory.dmp

memory/4260-33-0x000002166A000000-0x000002166A001000-memory.dmp

memory/4260-34-0x000002166A000000-0x000002166A001000-memory.dmp

memory/4260-35-0x000002166A000000-0x000002166A001000-memory.dmp

memory/4260-36-0x000002166A000000-0x000002166A001000-memory.dmp

memory/4260-37-0x000002166A000000-0x000002166A001000-memory.dmp

memory/4260-38-0x000002166A000000-0x000002166A001000-memory.dmp

memory/4260-39-0x000002166A000000-0x000002166A001000-memory.dmp

memory/4260-40-0x000002166A000000-0x000002166A001000-memory.dmp

memory/4260-41-0x000002166A200000-0x000002166A201000-memory.dmp

memory/4260-42-0x000002166A200000-0x000002166A201000-memory.dmp

memory/4260-43-0x0000021668C20000-0x0000021668C21000-memory.dmp

memory/4260-44-0x0000021668C10000-0x0000021668C11000-memory.dmp

memory/4260-46-0x0000021668C20000-0x0000021668C21000-memory.dmp

memory/4260-49-0x0000021668C10000-0x0000021668C11000-memory.dmp

memory/4260-52-0x0000021668B50000-0x0000021668B51000-memory.dmp

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

MD5 a55dec6cfb08440f58a404b786ec34aa
SHA1 118d9bdf01362af0f1fa20c9cc3e4c249a71e3c9
SHA256 a57d12ad7bed1575efa818ac6ee391515110ac3dace974e16be9ac6bfa681c64
SHA512 3af17b6eb6ecc2801cc073a7b6f8003dd675c842347510a143f37ea910e9f89858be9543f301daa143b0a107480002f3e32a5da46cb9b7bbb9bac1cc1866b562

memory/4260-64-0x0000021668D50000-0x0000021668D51000-memory.dmp

memory/4260-66-0x0000021668D60000-0x0000021668D61000-memory.dmp

memory/4260-67-0x0000021668D60000-0x0000021668D61000-memory.dmp

memory/4260-68-0x0000021668E70000-0x0000021668E71000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:16

Platform

win7-20240221-en

Max time kernel

359s

Max time network

360s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Mono.Cecil.Mdb.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Mono.Cecil.Mdb.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:05

Platform

win7-20240215-en

Max time kernel

361s

Max time network

361s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Quasar.v1.4.1.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Quasar.v1.4.1.zip

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:06

Platform

win7-20240221-en

Max time kernel

361s

Max time network

364s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\GlobalMouseKeyHook_license.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\GlobalMouseKeyHook_license.txt"

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:10

Platform

win10v2004-20240226-en

Max time kernel

553s

Max time network

558s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\ResourceLib_license.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\ResourceLib_license.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-03-15 04:54

Reported

2024-03-15 05:15

Platform

win10v2004-20240226-en

Max time kernel

444s

Max time network

450s

Command Line

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\SilkIcons_license.txt"

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\3rdPartyLicenses\SilkIcons_license.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp

Files

N/A