Analysis
-
max time kernel
1486s -
max time network
1496s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
30-10-2024 15:59
General
-
Target
https://github.com/quasar/Quasar/releases/tag/v1.4.1
Malware Config
Extracted
quasar
1.4.1
Office04
10.127.1.46:4782
Hgnbwbgw:4782
1d17e53f-0b94-4baa-9328-7c28e4f94d3b
-
encryption_key
AD10D392779CB6F13E346EA490879C89681AA56F
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 6 IoCs
-
Executes dropped EXE 9 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies Internet Explorer settings 1 TTPs 37 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 53 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/quasar/Quasar/releases/tag/v1.4.11⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa333046f8,0x7ffa33304708,0x7ffa333047182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,430192009163834773,3243292455474194735,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,430192009163834773,3243292455474194735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,430192009163834773,3243292455474194735,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430192009163834773,3243292455474194735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430192009163834773,3243292455474194735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,430192009163834773,3243292455474194735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,430192009163834773,3243292455474194735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430192009163834773,3243292455474194735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430192009163834773,3243292455474194735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430192009163834773,3243292455474194735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430192009163834773,3243292455474194735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,430192009163834773,3243292455474194735,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3444 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,430192009163834773,3243292455474194735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,430192009163834773,3243292455474194735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,430192009163834773,3243292455474194735,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3056 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12"2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa2287cc40,0x7ffa2287cc4c,0x7ffa2287cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,6492464791485219927,6102891365506208412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1880 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2076,i,6492464791485219927,6102891365506208412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,6492464791485219927,6102891365506208412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2324 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,6492464791485219927,6102891365506208412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3352,i,6492464791485219927,6102891365506208412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,6492464791485219927,6102891365506208412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3732 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,6492464791485219927,6102891365506208412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,6492464791485219927,6102891365506208412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4528,i,6492464791485219927,6102891365506208412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4996 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,6492464791485219927,6102891365506208412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5148 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4836,i,6492464791485219927,6102891365506208412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5156 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3548,i,6492464791485219927,6102891365506208412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3444 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5356,i,6492464791485219927,6102891365506208412,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3380 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\main.cpl,@1 ,1⤵
-
C:\Windows\system32\osk.exe"C:\Windows\system32\osk.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e4 0x4d01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built.exe"C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built.exe"C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built2.exe"C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built2.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built2.exe"C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built2.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built.exe"C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built.exe"C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built2.exe"C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built2.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\Desktop\Quasar v1.4.1\Profiles\Default.xml"1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Quasar v1.4.1\Profiles\Default.xml2⤵
- Modifies Internet Explorer settings
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5388 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built.exe"C:\Users\Admin\Desktop\Quasar v1.4.1\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{60A90A2F-858D-42AF-8929-82BE9D99E8A1}1⤵
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5368401d07edfde4a97b091015ea99bc7
SHA17995af9656c1ed515e1d26ac3dfa737bb629fc39
SHA2566ad86133d37c7d9091abeacf45815cdc9b52ee286479d99206b62d1d0fe90e7e
SHA51216d023569f069fe406e9bc44156816c76575bd9d95f3f6ec732047715f15dcfd97a1189903aa2732c82472d22681f1df1c043d0bd7258d8ca8104eb6beb9c66e
-
Filesize
232KB
MD594d585ea8ab3d4e5ee1d7f4c4d85b97e
SHA17a1b478074a7f0a630ebd41942f031d5e1019b04
SHA2568369eaf1ecae1c08d6f1ac3ab881925589ad16221bc73531c3104e458aef661f
SHA5126b1b302e1fb39ebd4b5b5bfef6c4554f2df249f93ebeca4e8461e0ad738df9cad6b400956c94d99c8f0f4221b4e6a3ede15c8f4b66b60118b98385832829dedd
-
Filesize
649B
MD5453e77fee1b2a7c1786bbfe34383471c
SHA104c6d86aea9154a2f102cd06b65b0fd83bf604f1
SHA256a689b61e1625e880c6ed49bfb651f58cb317b73066609f4cd738b00b612ec036
SHA512bbd71fea6c506eaa12977789ca0b4a2c12af937330b51b48e3c64c4a78c864bcc285b6fc43afd98e1a976d39f6c85feeaa007107388957d62a68970e2a702e92
-
Filesize
120B
MD51035b98ddb99a29414264b74ff3fe179
SHA1df5eb658f16710c6597c23a19876906127e71993
SHA2569b58f47612bf48bdad4fbb7b438760ccc7cb8a0bf3d4d819d250d34a663aab17
SHA5121ba3803d7989f24e496da9aba88e88e456d5b4053b69212718eb904c2ebf28d498080158436f54a557af3254de222f6a2cdca5a50b59bc6e8a6d6c594bd13033
-
Filesize
3KB
MD544051413d17107e60db3276a463ef260
SHA10f7654bf73242dc6189140fc3976042ad6262f53
SHA256a757a1ebc56e579527f56586bb7833a9c5ed70b3a557ea4ac59df23a1b99bdad
SHA512a3a7faf354fd80560ddc634658ace8fd88c2a75fc4705b4d78e694e05226dac8867f8836e97c3232a928401696db43b8d2a480c5cb71a23cef8ebf28f4e1b5fc
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5e7e752b6b9d6753cf0ed75e2a7ff5965
SHA139346becb12dc701b2b2c548af02d8efb67d641e
SHA2568bebc61186470c7d2d9cf70274b3748a14e1fc5ba8bbf9e5c494b3cc2378a140
SHA5125c5272a8247bddf36bc02ac0ec9e944409d54cf70e1fe38a0a7e5441fd192c47f3459be97361dc1dca7a3ee9edadaa8f69e6f0f8c2c320b0f60f84e3ae8ef261
-
Filesize
9KB
MD543b80a4583b10ace1d0a4d1209ddecdd
SHA1d470d38f5638d10c955b851b4800fea4570ce2fb
SHA256ac8175a52d96a623ee478636a01a1f89e43c8a8a6509f059c99e8f95e95a829e
SHA5128c1d19ce05330ffd2e5a52dcf82a14e196747275fd04c1595fb631d89063b98ab78b387391004f68c163ffe3645045f76edc20c4a39b6ea1d540edf2e970e65b
-
Filesize
15KB
MD5eb9d3b06980bf4a084456cbae478b21a
SHA1a67ab26862be5cfba679c7677bd168c8d55339e9
SHA256e3e0794d6518140feb504cae92d96c7b6b329ebf156e423f373f512dbfdc93a4
SHA512800d54eb55f7c2e6d55207cda4b8068760284b4a3392d2d419ec7504cc9da0c157005a6243374d00f82e4316e28a1e4995b5b56dc76b14927727a0d223d77993
-
Filesize
232KB
MD54549a75211b7435d0f5ec3fef814ade8
SHA10792dd1e4803567d24e673ee65469654a590d31b
SHA2566e268ffe55dad82916d1fb23d3a38a584b3d3133e6b453a770274b6133e7ae7d
SHA512bd68ec5fc745c40d359d4b9ef8c9e1e423d5c2a0397776ca59cf6339f6a272bf7608279fc068cdd1fbb35752a65cdddfeae2a638ce264a90f5cca90b611c3093
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5e07c3925c4e8b60a8ea6300a1437ef3a
SHA1101e086eed0ac5cde21219343545f5042fb1cb12
SHA25698dd0707ee1844d0b0ad3f44d21c9bbfd1c135e18ea22061c9bc4e0e45736156
SHA5128ba1327624a4225082e608d9f7689796a5fdfaeb042f9870164436ff0022e94379e8b98774665e3ccc73d8cc1d3c510fbabd10f39b0f164c4fe3310570da5b8d
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
1KB
MD53aaa3039b13b1b752d3a32a60a09d71f
SHA171bad89303a3b1e090957bf6d04bccc41a461e99
SHA2569b969b65e4570a6c354aef95306250efbcbb136d2ce44649acf3eab2021bb63f
SHA512cb085adf89926215a4b5321d682d4ee6408776b33e79ac6e88dbb2815cdceae165a88002a242a7b0801baba05419fb080b44651eb40f1df4629a521643c5a4d2
-
Filesize
496B
MD530322550d9f9c54f345ea1c71f3b2e8f
SHA1b5a3cff2995147279c2bbed7c03b2280ecb286e5
SHA2564e7798d8476361378f8fbfb0442db63c7f6bf7e1830d50808bfdb8a58700d8f9
SHA512261d1f5bc9c8a369f815eb846c252f54681f70862153bd49959411450870207b3ee240cc9016533c27401922527d561cc1ea7bb23708e4a257f071d010cf55ef
-
Filesize
5KB
MD5412fa9be1abe971180382e812640635f
SHA12a06a946c2c7c8f898da9f4363e67a0c4b44b92d
SHA256fefa9ad3b8803135f58df57735f201ce2d36450e4cbc2a5a424321da2ef6f465
SHA512fe7e89828cd65b98ebf4d18ced5fe0a29a768e01d36729cdca6e2871dc75babec5f243e5027f000979aa16338a590a2b13c1575eaffc4399792fe467c4292c4f
-
Filesize
6KB
MD5a102e827443cd0ea11dce6dbb7a409ea
SHA1a75557e4d56c6922f3a87a93b0fc41e4a111523d
SHA256be9ecd93492f2ab18b06f6519e211e8d8b4b89151646a408caa0f857987ef48f
SHA512000f0caca6fa7176f0b834c084d8601e18e726820423af6f2bf2fdaf139de462d455b58eb51f24ac44216abb5a0aff95148e1e775873256f86459d359db36ebd
-
Filesize
6KB
MD5c93e34d2fce75b85a6de5360c44519a1
SHA1b5013afe915dfe95fe3c4fbea9b7aa3b9e387427
SHA2564a75c5a0dbb6a6a6feaaa4d95c0b48b1e371ed8e4cd848983223e85579ab4ece
SHA51287e1849e5f513f01930ec3448485574bbcc43435887eaf508494ebfaa2d49a38b07358024be187900e6a6d38270d778075e468723810fd2ae16496b7130c0bae
-
Filesize
872B
MD556c5c21d117ba8a5845fb263c12edc09
SHA11f9eb53a92b4f8093e80515e8e02547312bc3339
SHA25648b11eda99c72a960f17add99d9870508283ca366dc051a71fb9387c762215b3
SHA512ec45e2db1b8163584bb60243750520700f1538794533e86de386fe4a9d15124c98fc4eb5e966b62250cab446a323d263888648781db8d9bea81432469414d9d3
-
Filesize
872B
MD5d1e42db27c211a7f8abb070b7ce7354d
SHA15d3fe6215270214706a4312b91a4f9879f255cc3
SHA2565a3783534b300e767203fe66c5dfbf7f4e34a7b07ff48696bd358ebe24bb4046
SHA51255eaad954dc78e6cdb296f5486d1ed4f66ed5e8e8b10beec402f736aa4b294814b87e4723db9ce6c0ff60775ef3e5133fbf3a236be8bcf2ae2382cd528240305
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD54c94dd53b1281e9ccd8ac3d125f168d6
SHA1abba41eee1eac385bfca10add4e8e3e1f7e69cb3
SHA2568688f4ba2861d9db014a729d0a59651573a0b65c22e5da97b164d77dc3db4ca6
SHA51268dddaf6112d670da490b72d5bc3b7f2dfeee61f71785a68864ec875da9e635383b8b20a6f65661f1a08e9276c25ac359301e4063a6667a187494143a5b7279f
-
Filesize
11KB
MD5585b4f388db6e6efac7b10cbd0226653
SHA184ff995d4f2a21d753278b325fc1453dfd65bf97
SHA256d0ee2bae79174b5b1985b84e777852de962bdeeeb0f33f8fe276740288512672
SHA51204679b4798b75b9f1648681cb8b0585efc71bdb449bf8f838afec4149f0c7b29f008d6ced419dbdc166e3a09668a2b2fc2bab38864a1e73d16ab5a9c7f38cdbb
-
Filesize
3KB
MD546219c1fcf707aea671af71ca1192130
SHA181b5beffde2d3b1cc026e52d195e44f369960cc9
SHA2561905919490282158abbfe54762d5e1bc7ab64edb03b4f75ecb541615151642dc
SHA512ec33d8f8ba87272cb432739824f3abc360d2be969d02d4cf6c4c46f7edfc7198a7d57c077f645c40592d34e966a5e553c159e7d5e4dc891159e001592d7e1ced
-
Filesize
3KB
MD592036e6f7a34a2d52957e77f467b8367
SHA180136e443dd74b941c5c4fed9f60e869e33e65c1
SHA256b0065379c2e16a0c69e73a88b08c11b57813d728f4ba09648b75639d4feb4327
SHA5126c32710f95920614312a7c4fc3f4dba49924f017a74b59b467c5b15557bc7c4f06deb682b86772814e0607bf3f7f3bb9a25ee387e995726f57137649ba5ba55c
-
Filesize
3.1MB
MD5557bb7b3d831d254ea3182604e8d3d71
SHA1e68ad12ee0ba89a3979fc8a1e5452414f7ce7ddc
SHA256b895704ea8bd7a49f14e1594d7b84426542c8de5db7a30c65a7370c9fd4fc7aa
SHA5129865a3d54d3b8575ecd2f9af8d696da744b106330f65d509fac00c2c11ad083a9be1300948ede82249505b5da74115341ddb2f1736436d88fb27501abcd8e6dc
-
Filesize
3.1MB
MD52ea684329dc2d012365608490761868a
SHA1b409de5ebb383034117cf7ef0e5a9ddbca3986e2
SHA256b1ae47d11742fc000ccc6266886ce9e83badec4f44516a4e414fee9223d40998
SHA51240372e57ad76eab13ca39eec80d11e3038e6346c4f411551b2f59f01f88cea5553ea654de660a51bb15888b314ce810057500a2ede64cb07e11aee0822dd6dbc
-
Filesize
240B
MD538ccb91f06cdd472bb0fa8b2ee1f6bd1
SHA151490fc44d9149a5660c0eee7e9ff8f246f776bc
SHA2564a1433b1c2b8f925111bf3a319f8d747a2b1595ddc980fa37e5022e57bb6b13b
SHA5123a56de11055382c1577af1869e35731236774ca0de6cac28a3d6614a9d99d0c0c32028f6829c7bc6672b917bb6ee30b870d6363a3f4976aea0d69d8f057e9fef
-
Filesize
1023B
MD5a1b8c6a7dc5072c25c582a6e9d9ba709
SHA161abd3c9f553dcb96ed85c115309c1d45a3b82bc
SHA256ccec603a7282ce665a5421b246752f96d8248ce5eec1d51dbd8319bf2f70c2df
SHA512b2513242860f00607089741c85e0750676d165da4f3c86b36fc1ea894cd4f9eec210578488f90b85cc4dbec40e7d4e41f43d1df1274eaa0737a0a14053f8d13c
-
Filesize
1KB
MD5310b7dd54798abf74eb765b9df19075c
SHA15a6e92dd9641b3b65a075a795ed73c1ec883b730
SHA256570820e25fa5e23504298c41ee1b2b5e6ed478b3de6bcdc27873cfd1c66fae44
SHA512886087c28ac6e3c1c640a97f4daaf42eee63dc39bce60a4e034757dbfc60c4872abc352855f3820d4894661ef11e981dd67f0a6387fa6ada2940e1f93c35fb64
-
Filesize
1006B
MD529ef08faa6cfbe0148d5c9290ae32937
SHA1e0400cd314f368d6d205b80be15c583736892a7c
SHA2565b4022e843330519fb8efe1551dc9f8d4663a8ba46e91676b21b4d671c8d147f
SHA512231daf817f0b373e9b4763b55abed4f6244f7a7847fbfa29a5432da39779682126a2050bed34ed5ef69f09227557fcb690b5a3c9c176112783cb0739c17fbcd0
-
Filesize
4KB
MD5a93ef6b3e18287ff0604bc41f4a47a02
SHA1747ec2a8613c0b60820a4e6987a8e6da7c105bd4
SHA256dde88985c3c1dc8e9693d5117d9158d0488418c8a0942a8e9b3b13a06a208bb6
SHA5126816b0ecbdba46acb56b24607b51c10fd866721cd9efbda23daa6ba908e02730b03697d5348b535b8a35d0df8431fcfc538c1b72678315b459997bce08a3471b
-
Filesize
372B
MD5fca8b1c002395cf5d7ecf1a357f34319
SHA13795bf632d1a619814301b5226d958ce78a0ab12
SHA2560ac0e8ff8e7d2722ee870e3e227f844d16ee41250a16ba0b2d3e1537297bdc21
SHA5125d38019d282afd8b8da9d0acf0c2e622c3a889e0f7e457d08aeb6324192b7ab904ad133c6336fc24555a00c9654a8d9d21fa7211299d01b4aaad028a5739483a
-
Filesize
3.3MB
MD513aa4bf4f5ed1ac503c69470b1ede5c1
SHA1c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00
SHA2564cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62
SHA512767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
3.1MB
-
Filesize
5.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
376KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
96KB
-
Filesize
3.2MB
-
Filesize
88KB
-
Filesize
1.2MB