File name:

Quantum Builder Cracked 2023.zip

Full analysis: https://app.any.run/tasks/0b75af60-9b24-4481-845d-472dbf4dd442
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: January 15, 2024, 02:23:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
evasion
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

491EAE26368552232D525E82F5F27587

SHA1:

44FF9DA7B28E26CDF131E55B103245AC1B78F5AB

SHA256:

93986E3E0533594BC35CE104DF9D0DAC3ACA5E31C97D778FB1E2429B5F3D851E

SSDEEP:

98304:PUkjsB2dAyxKEn6snk0/H2KmQG4efnm52r440e5BH+lQspd+5KOOuhup5dgrA58S:VkKJT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2040)
      • QuantumBuilder.exe (PID: 2016)
      • win update.exe (PID: 1344)
      • QuantumBuilder.exe (PID: 2172)

    • Create files in the Startup directory

      • win update.exe (PID: 1344)

    • Actions looks like stealing of personal data

      • win update.exe (PID: 1344)

  • SUSPICIOUS

    • Creates files like ransomware instruction

      • WinRAR.exe (PID: 2040)

    • Reads the Internet Settings

      • QuantumBuilder.exe (PID: 2016)
      • win update.exe (PID: 1344)
      • QuantumBuilder.exe (PID: 2172)
      • QuantumBuilder.exe (PID: 1536)

    • Checks for external IP

      • win update.exe (PID: 1344)

    • Executable content was dropped or overwritten

      • QuantumBuilder.exe (PID: 2016)
      • win update.exe (PID: 1344)
      • QuantumBuilder.exe (PID: 2172)

    • Reads settings of System Certificates

      • win update.exe (PID: 1344)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • win update.exe (PID: 1344)

  • INFO

    • Manual execution by a user

      • QuantumBuilder.exe (PID: 2016)
      • QuantumBuilder.exe (PID: 2172)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2040)

    • Create files in a temporary directory

      • QuantumBuilder.exe (PID: 2016)
      • QuantumBuilder.exe (PID: 2172)

    • Reads the machine GUID from the registry

      • QuantumBuilder.exe (PID: 2016)
      • win update.exe (PID: 1344)
      • QuantumBuilder.exe (PID: 2172)
      • QuantumBuilder.exe (PID: 1536)

    • Reads the computer name

      • QuantumBuilder.exe (PID: 2016)
      • QuantumBuilder.exe (PID: 480)
      • win update.exe (PID: 1344)
      • QuantumBuilder.exe (PID: 1536)
      • QuantumBuilder.exe (PID: 2172)

    • Checks supported languages

      • QuantumBuilder.exe (PID: 480)
      • QuantumBuilder.exe (PID: 2016)
      • win update.exe (PID: 1344)
      • QuantumBuilder.exe (PID: 1536)
      • QuantumBuilder.exe (PID: 2172)

    • Reads Environment values

      • win update.exe (PID: 1344)

    • Reads CPU info

      • win update.exe (PID: 1344)

    • Creates files or folders in the user directory

      • win update.exe (PID: 1344)
      • QuantumBuilder.exe (PID: 1536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2023:07:14 21:09:34
ZipCRC: 0x0e555fcd
ZipCompressedSize: 69467
ZipUncompressedSize: 162448
ZipFileName: Microsoft.Toolkit.Uwp.Notifications.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe quantumbuilder.exe quantumbuilder.exe no specs win update.exe quantumbuilder.exe quantumbuilder.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
480"C:\Users\admin\AppData\Local\Temp\QuantumBuilder.exe" C:\Users\admin\AppData\Local\Temp\QuantumBuilder.exeQuantumBuilder.exe
User:
admin
Company:
Quantum Software
Integrity Level:
MEDIUM
Description:
QuantumBuilder
Exit code:
4294967295
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\quantumbuilder.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1344"C:\Users\admin\AppData\Local\Temp\win update.exe" C:\Users\admin\AppData\Local\Temp\win update.exe
QuantumBuilder.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Win Update
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\win update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1536"C:\Users\admin\AppData\Local\Temp\QuantumBuilder.exe" C:\Users\admin\AppData\Local\Temp\QuantumBuilder.exeQuantumBuilder.exe
User:
admin
Company:
Quantum Software
Integrity Level:
MEDIUM
Description:
QuantumBuilder
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\quantumbuilder.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2016"C:\Users\admin\Desktop\QuantumBuilder.exe" C:\Users\admin\Desktop\QuantumBuilder.exe
explorer.exe
User:
admin
Company:
Quantum Software
Integrity Level:
MEDIUM
Description:
QuantumBuilder.exe
Exit code:
0
Version:
1,0,0,0
Modules
Images
c:\users\admin\desktop\quantumbuilder.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2040"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Quantum Builder Cracked 2023.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2172"C:\Users\admin\Desktop\QuantumBuilder.exe" C:\Users\admin\Desktop\QuantumBuilder.exe
explorer.exe
User:
admin
Company:
Quantum Software
Integrity Level:
MEDIUM
Description:
QuantumBuilder.exe
Exit code:
3762504530
Version:
1,0,0,0
Modules
Images
c:\users\admin\desktop\quantumbuilder.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
5 917
Read events
5 857
Write events
60
Delete events
0

Modification events

(PID) Process:(2040) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2040) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
6
Suspicious files
1
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
2040WinRAR.exeC:\Users\admin\Desktop\noted or readme.txttext
MD5:E1D542AFC29545828F1D0C823B4EBD8A
SHA256:55A17B02F9A9EAB13FC38DD0F67C747E6050ABF4F932D3E62FE27670EB9C9150
1344win update.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update Service.exeexecutable
MD5:1C6998D9D18E8EF821800F91FBED56C6
SHA256:F4B1C9F69F77C275FB40DBC0CD7FA5786660760C49BF9E9DC2388472F7405B35
2172QuantumBuilder.exeC:\Users\admin\AppData\Local\Temp\QuantumBuilder.exeexecutable
MD5:DC60A8363D1974A6951412D0FD217ECF
SHA256:6A1DECCC83FC8F1A072BD6DBE0A8321D34E11D78AAD4B4F3A2CEE6F754704D74
2040WinRAR.exeC:\Users\admin\Desktop\QuantumBuilder.exeexecutable
MD5:C819A7F23ACE072A35C45BB86413DAE4
SHA256:6BFAF1A8669E3380A18DDCBDD99249597C6CE4612470F42BF17E2FBBC5E1410D
1344win update.exeC:\Users\admin\AppData\Local\Win_Service_Update\Information.txttext
MD5:6908EE6433747B189C8850B02F471176
SHA256:59447A96DA310AA4BBEA3CD141DDB21841CED206EFCA9BB527E298A8D4144D06
2040WinRAR.exeC:\Users\admin\Desktop\Microsoft.Toolkit.Uwp.Notifications.dllexecutable
MD5:805135DA62C5B65618B9782A5DC48F06
SHA256:A0B5BE9580BF6548F685D79E5439F6D946EF57E013D201F946B2A894E7441804
2016QuantumBuilder.exeC:\Users\admin\AppData\Local\Temp\win update.exeexecutable
MD5:1C6998D9D18E8EF821800F91FBED56C6
SHA256:F4B1C9F69F77C275FB40DBC0CD7FA5786660760C49BF9E9DC2388472F7405B35
1344win update.exeC:\Users\admin\AppData\Local\DE[01-15-2024]_87.249.132.186_admin.zipcompressed
MD5:8622B05A48E6541B93F1E38627E228C9
SHA256:26998B011DE10C3B9C04C5B6ADF4CF01AAA3DB3AA1A82843B5BDEBECD0792EF2
2040WinRAR.exeC:\Users\admin\Desktop\nfo.txttext
MD5:52FB6A64C359F33D9A4E7B8A72C1335A
SHA256:A3D9E2CB93496C85F8A781CE275871A949AFFD838A3DA20FF0AE90A2A65C3B81
2016QuantumBuilder.exeC:\Users\admin\AppData\Local\Temp\QuantumBuilder.exeexecutable
MD5:DC60A8363D1974A6951412D0FD217ECF
SHA256:6A1DECCC83FC8F1A072BD6DBE0A8321D34E11D78AAD4B4F3A2CEE6F754704D74
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
6
DNS requests
2
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1344
win update.exe
GET
200
208.95.112.1:80
http://ip-api.com/xml/
unknown
xml
457 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1344
win update.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
1344
win update.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
unknown

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared
api.telegram.org
  • 149.154.167.220
shared

Threats

PID
Process
Class
Message
1344
win update.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
1344
win update.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
1080
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
1344
win update.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
Misc activity
ET HUNTING Telegram API Certificate Observed
1344
win update.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via Telegram
Process
Message
win update.exe
RunBotKiller: Access is denied
win update.exe
RunBotKiller: Access is denied
win update.exe
RunBotKiller: Access is denied
win update.exe
RunBotKiller: Access is denied
win update.exe
RunBotKiller: Access is denied
win update.exe
RunBotKiller: Access is denied
win update.exe
RunBotKiller: Access is denied
win update.exe
RunBotKiller: Access is denied
win update.exe
RunBotKiller: Access is denied
win update.exe
RunBotKiller: Access is denied
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Quantum Builder Cracked 2023.zip