Analysis
-
max time kernel
38s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 17:37
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
Quasar payload 4 IoCs
resource yara_rule behavioral1/files/0x00070000000235bf-251.dat family_quasar behavioral1/memory/5964-254-0x0000024A88DA0000-0x0000024A88ED8000-memory.dmp family_quasar behavioral1/files/0x00070000000235be-255.dat family_quasar behavioral1/memory/5964-256-0x0000024A8AA70000-0x0000024A8AA86000-memory.dmp family_quasar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation Quasar.exe -
Executes dropped EXE 1 IoCs
pid Process 5964 Quasar.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies registry class 17 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5560 explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1664 msedge.exe 1664 msedge.exe 5096 msedge.exe 5096 msedge.exe 4272 identity_helper.exe 4272 identity_helper.exe 956 msedge.exe 956 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5964 Quasar.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 5596 7zG.exe Token: 35 5596 7zG.exe Token: SeSecurityPrivilege 5596 7zG.exe Token: SeSecurityPrivilege 5596 7zG.exe Token: SeDebugPrivilege 5964 Quasar.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5596 7zG.exe 5964 Quasar.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5096 msedge.exe 5964 Quasar.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5560 explorer.exe 5560 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5096 wrote to memory of 4472 5096 msedge.exe 85 PID 5096 wrote to memory of 4472 5096 msedge.exe 85 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 4888 5096 msedge.exe 86 PID 5096 wrote to memory of 1664 5096 msedge.exe 87 PID 5096 wrote to memory of 1664 5096 msedge.exe 87 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88 PID 5096 wrote to memory of 2404 5096 msedge.exe 88
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/quasar/Quasar/releases1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd3ab646f8,0x7ffd3ab64708,0x7ffd3ab647182⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16372396661487160422,17167707224655337775,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵PID:4888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,16372396661487160422,17167707224655337775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,16372396661487160422,17167707224655337775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:82⤵PID:2404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16372396661487160422,17167707224655337775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16372396661487160422,17167707224655337775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵PID:3560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16372396661487160422,17167707224655337775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵PID:2332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16372396661487160422,17167707224655337775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16372396661487160422,17167707224655337775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵PID:1536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16372396661487160422,17167707224655337775,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,16372396661487160422,17167707224655337775,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5828 /prefetch:82⤵PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16372396661487160422,17167707224655337775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:12⤵PID:3884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,16372396661487160422,17167707224655337775,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16372396661487160422,17167707224655337775,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵PID:5268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16372396661487160422,17167707224655337775,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:12⤵PID:5276
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3464
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4908
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5480
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Quasar.v1.4.1\" -ad -an -ai#7zMap15215:88:7zEvent36601⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5596
-
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5964 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"2⤵PID:5468
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5111c361619c017b5d09a13a56938bd54
SHA1e02b363a8ceb95751623f25025a9299a2c931e07
SHA256d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc
SHA512fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2
-
Filesize
152B
MD5983cbc1f706a155d63496ebc4d66515e
SHA1223d0071718b80cad9239e58c5e8e64df6e2a2fe
SHA256cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c
SHA512d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD577a0ff346e1a6499f9a989f08d4f7baf
SHA1a2991941296311a3f6313057508d9c7f11b1ed5b
SHA256df651c1a1938ee95811eb3225da48fa2983ef179525f63bfcb4853b16eb9a64e
SHA5129a849e0618e42e43b3d6f2f5e483dc1229556b90bb3a5aaf2856bf68a6b80a8916a426c969b870851d0118a09ae90b66ffefd8e5ee7dc430a0b6eae153a35f59
-
Filesize
5KB
MD5788373d71fb5fb28c4539b7293f60798
SHA14119b49f5af7242a75967bad0920d8c59afd9ae9
SHA2564d5dd29ee1c2ee62f120863be36ef2ec07c5fe9a6a3171215b7ef62b4729728a
SHA512d53cd3817ccfb84846f8d7e9b90bfc6c736718aa0c77b1b425e7e4b67b1db380d421efd58a5363703634c28406c1bc89d6e02d577b34c12a15626fc207f2afa3
-
Filesize
6KB
MD534c691e7e2cf9747f739b4be503fa2fe
SHA194a7f6a97744230767a6a6b2cad556be98410b0a
SHA256297d4e58fab9a71fe60c2e85ff1bfab77a7cece1e4468459c1f13221f8670c5f
SHA512be8aab37688f88b556e39d189e5298f9cc9a2bac2d19634ae3f533338190041933b5eb8aa146861e94cf244e71f77787d68e1c7f0722222390e470e91d03f6e1
-
Filesize
872B
MD59c13f8bfe65aa8def0615beabba44dc4
SHA12013ef81822d9a5e0ca787df3b257c11187b078c
SHA256e5001de706083c67765a51e4c5a292d842c6ed7381506c2b24f7618f99c8deb9
SHA51207e06e678bc876ea380994f9748d161f01f8d1d7b760f91eec14fbd11455ff3c0a49c0bf7052751f50b459df3d7f911404e5983b1da3039e31899ba3eb68fb59
-
Filesize
872B
MD5ac5abdde4322b8bec66d554eb5297565
SHA1c21a99d6e8f98b0ea6b4a674894564fa81662ef5
SHA256c541953d1933404c44a0b6d93a9f01c375cd132c3305f2cbb3e0d552fbe243af
SHA5125379a5e91a13c835399962e924bb8d85f2fcd45b8e97e5645e0068913b85b101b40b4916b5f918f225b49b8bb36623c601172850b3df6374408f8efc3a42ed07
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD50b3074246dc2bbdbdf53de86cad52a7f
SHA1c4faadcd0b31a33e19a5609cadd502c3f33247f2
SHA2566cf06eedfe4cc2c5e19b0102843c55083040099737acedd82cd025ffb69c9d5e
SHA512b90d128f33b0c0320966f749196e3b8681dc0643ce89502ab1e5e1bcb51572ab0287377ea2a54d033e7de2001ea3ec27d9d31a66860725c39fe6c8d4b06cb45a
-
Filesize
11KB
MD5e05045c6522cf2cab175467ccbdbb219
SHA1e5151c02d3434242a7948a5815d1dd813a2d2d33
SHA2568a04b83a246441bcbbee5bce2c704748e676f8a8a1bec674c19741e08a44ac1a
SHA5122cd0206b6e1682e05bfe430628ab2ae779ff6bae13a2da43381a671855ca79ae6a19f23938b73b63ea6888526fd5736639fce58a43ff34ba1e0123928ae30e56
-
Filesize
3.3MB
MD513aa4bf4f5ed1ac503c69470b1ede5c1
SHA1c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00
SHA2564cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62
SHA512767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d
-
Filesize
3.2MB
MD50cf454b6ed4d9e46bc40306421e4b800
SHA19611aa929d35cbd86b87e40b628f60d5177d2411
SHA256e51721dc0647f4838b1abc592bd95fd8cb924716e8a64f83d4b947821fa1fa42
SHA51285262f1bc67a89911640f59a759b476b30ca644bd1a1d9cd3213cc8aae16d7cc6ea689815f19b146db1d26f7a75772ceb48e71e27940e3686a83eb2cf7e46048
-
Filesize
68KB
MD5cc6f6503d29a99f37b73bfd881de8ae0
SHA192d3334898dbb718408f1f134fe2914ef666ce46
SHA2560b1e0d8f87f557b52315d98c1f4727e539f5120d20b4ca9edba548983213fbb5
SHA5127f4c0a35b612b864ad9bc6a46370801ed7433424791622bf77bf47d6a776cb6a49e4977b34725ead5d0feaa1c9516db2ca75cb8872c77a8f2fab6c37740b681f
-
Filesize
62KB
MD52185564051ea2e046d9f711ed3cd93ff
SHA12f2d7fd470da6d126582ad80df2802aabd6c9cea
SHA256de930a748e4dc08c851ba0a22afce8dcfd0f15f23b291f9306c8ef6ccd7460a2
SHA51200af241c1f89b478e66d758db26ed0a413b690d695abf91211b5cbc3985133632327ea0fc41140bd61d02271b6aa278a8e8f539d8ca6ce94972aef50c1a9c868
-
Filesize
1.2MB
MD512ebf922aa80d13f8887e4c8c5e7be83
SHA17f87a80513e13efd45175e8f2511c2cd17ff51e8
SHA25643315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e
SHA512fda5071e15cf077d202b08db741bbfb3dbd815acc41deec7b7d44e055cac408e2f2de7233f8f9c5c618afd00ffc2fc4c6e8352cbdf18f9aab55d980dcb58a275
-
Filesize
176B
MD5c8cd50e8472b71736e6543f5176a0c12
SHA10bd6549820de5a07ac034777b3de60021121405e
SHA256b44739eeff82db2b575a45b668893e2fe8fdd24a709cbf0554732fd3520b2190
SHA5126e8f77fcca5968788cc9f73c9543ce9ab7b416372bc681093aa8a3aad43af1f06c56fcbc296c7897a3654b86a6f9d0e8b0fe036677cf290957924377bc177d9f
-
Filesize
282KB
MD5abc82ae4f579a0bbfa2a93db1486eb38
SHA1faa645b92e3de7037c23e99dd2101ef3da5756e5
SHA256ca6608346291ec82ee4acf8017c90e72db2ee7598015f695120c328d25319ec6
SHA512e06ee564fdd3fe2e26b0dec744a969a94e4b63a2e37692a7dcc244cb7949b584d895e9d3766ea52c9fe72b7a31dacf4551f86ea0d7c987b80903ff43be9faed3
-
Filesize
4KB
MD54aef76680bfbfbae3e0f9e3cc3c3516a
SHA11b6c819d87935f3cf303c794444bc05a8bfce016
SHA256896bf877309050441f73eea4548a6438cb747ca10b490441716ad186ec3d7810
SHA512d40a2ca64e88123f3a99745d92627e3d641bcf76e48a78d1334f36b9c0f86b459ca62b3a78320361c09d1dbc5c32e75e846efe7935d9267214a4398e4d34ebc5