Analysis
-
max time kernel
93s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 19:43
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
quasar
1.3.0.0
HEU_A
hacker.548848.xyz:4000
QSR_MUTEX_y7qRPJXwrKoCCGjifB
-
encryption_key
zOtqF7XIGfeSwK3tze2l
-
install_name
IntelServiceUpdate.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Intel Service Update
-
subdirectory
IntelServiceUpdate
Extracted
quasar
1.3.0.0
HEU_T
81.68.120.79:4000
QSR_MUTEX_kWiUJRAFspPTbob5of
-
encryption_key
7GHKJ6ZgFY9nVhHS7b4U
-
install_name
IntelService.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Intel Service
-
subdirectory
IntelService
Signatures
-
Quasar payload 10 IoCs
Processes:
resource yara_rule behavioral1/memory/4008-916-0x0000000000BC0000-0x000000000144A000-memory.dmp family_quasar behavioral1/memory/4008-919-0x0000000000BC0000-0x000000000144A000-memory.dmp family_quasar behavioral1/memory/4008-1063-0x0000000000BC0000-0x000000000144A000-memory.dmp family_quasar behavioral1/memory/1468-1086-0x0000000000710000-0x0000000000F9A000-memory.dmp family_quasar behavioral1/memory/1468-1088-0x0000000000710000-0x0000000000F9A000-memory.dmp family_quasar behavioral1/memory/2012-1623-0x00000000001D0000-0x0000000000A5C000-memory.dmp family_quasar behavioral1/memory/2012-1624-0x00000000001D0000-0x0000000000A5C000-memory.dmp family_quasar behavioral1/memory/2012-1680-0x00000000001D0000-0x0000000000A5C000-memory.dmp family_quasar behavioral1/memory/4856-1700-0x0000000000F10000-0x000000000179C000-memory.dmp family_quasar behavioral1/memory/4856-1702-0x0000000000F10000-0x000000000179C000-memory.dmp family_quasar -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
HEU_A.exeIntelServiceUpdate.exeHEU_T.exeIntelService.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HEU_A.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ IntelServiceUpdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HEU_T.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ IntelService.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
HEU_T.exeIntelService.exeHEU_A.exeIntelServiceUpdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HEU_T.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HEU_T.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IntelService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IntelService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HEU_A.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HEU_A.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IntelServiceUpdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IntelServiceUpdate.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exeIntelInstallation.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation IntelInstallation.exe -
Executes dropped EXE 7 IoCs
Processes:
chaos.exeIntelService.exeIntelInstallation.exeHEU_A.exeIntelServiceUpdate.exeHEU_T.exeIntelService.exepid process 4632 chaos.exe 972 IntelService.exe 3296 IntelInstallation.exe 4008 HEU_A.exe 1468 IntelServiceUpdate.exe 2012 HEU_T.exe 4856 IntelService.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe themida behavioral1/memory/4008-916-0x0000000000BC0000-0x000000000144A000-memory.dmp themida behavioral1/memory/4008-919-0x0000000000BC0000-0x000000000144A000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe themida C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe themida C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe themida behavioral1/memory/4008-1063-0x0000000000BC0000-0x000000000144A000-memory.dmp themida behavioral1/memory/1468-1086-0x0000000000710000-0x0000000000F9A000-memory.dmp themida behavioral1/memory/1468-1088-0x0000000000710000-0x0000000000F9A000-memory.dmp themida C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe themida C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe themida behavioral1/memory/2012-1623-0x00000000001D0000-0x0000000000A5C000-memory.dmp themida behavioral1/memory/2012-1624-0x00000000001D0000-0x0000000000A5C000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe themida C:\Program Files (x86)\IntelService\IntelService.exe themida C:\Program Files (x86)\IntelService\IntelService.exe themida behavioral1/memory/2012-1680-0x00000000001D0000-0x0000000000A5C000-memory.dmp themida behavioral1/memory/4856-1700-0x0000000000F10000-0x000000000179C000-memory.dmp themida behavioral1/memory/4856-1702-0x0000000000F10000-0x000000000179C000-memory.dmp themida C:\Program Files (x86)\IntelService\IntelService.exe themida -
Processes:
HEU_A.exeIntelServiceUpdate.exeHEU_T.exeIntelService.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HEU_A.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IntelServiceUpdate.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HEU_T.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IntelService.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 58 ip-api.com -
Drops file in System32 directory 3 IoCs
Processes:
IntelServiceUpdate.exeHEU_A.exedescription ioc process File opened for modification C:\Windows\SysWOW64\IntelServiceUpdate IntelServiceUpdate.exe File opened for modification C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe HEU_A.exe File opened for modification C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe IntelServiceUpdate.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
HEU_A.exeIntelServiceUpdate.exeHEU_T.exeIntelService.exepid process 4008 HEU_A.exe 1468 IntelServiceUpdate.exe 2012 HEU_T.exe 4856 IntelService.exe -
Drops file in Program Files directory 3 IoCs
Processes:
HEU_T.exeIntelService.exedescription ioc process File opened for modification C:\Program Files (x86)\IntelService\IntelService.exe HEU_T.exe File opened for modification C:\Program Files (x86)\IntelService\IntelService.exe IntelService.exe File opened for modification C:\Program Files (x86)\IntelService IntelService.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3344 972 WerFault.exe IntelService.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4104 schtasks.exe 1592 schtasks.exe 2940 schtasks.exe 4640 schtasks.exe -
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 44 Go-http-client/1.1 HTTP User-Agent header 45 Go-http-client/1.1 -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d3273793ae45d901 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50529233c85dd901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{58B19919-C9BB-11ED-9F77-EA1737350EF8} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31022536" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31022536" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "776948260" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c000000000200000000001066000000010000200000004bbdbd02fd35169ccc5b5ff8980e90a89b157534c133f1602c3a5bfe01a1cddb000000000e8000000002000020000000efb6ccab02f632160b5a721475de148b11ae4584905c40cb1dce45c2c272a72720000000d82432d162c8ca93791da94cb20f5c260c3f23338f475e72670fac3c31d4397940000000326daaa9398499131eec6278113154ece3c0b2bed60120786dea7364bc2b576edd164c7bc8d47f071d5318456b92139a568ca9823ec2f062437f2b0d77b1b212 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{5F2C1E62-7A1C-4F32-B17E-17B465B9B0DB}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "776948260" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 203b472fc85dd901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705f232fc85dd901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c00000000020000000000106600000001000020000000baca6b82564892a9857dd6ce3eb4dd75e6ffb00d0aefdc86b7fc70fb141d42ac000000000e800000000200002000000058763324ac30cb247f99af5b83d6aa92b3728e2276fe8c1073a6f5063dcb103620000000bc1227b20fe347080ffbb01321fa5ba11c86e448c506fbd4e407bb4109fc177c40000000a17957e81834ea395933c2549dc391c9063d91a12980bd7cfe15feb609407dae57b149cf49bda0c27b2f813c9bdaf9043b81e65c8e8af25abfb9357bf1af499e iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c00000000020000000000106600000001000020000000f3be62642dc8d51cf30ac87453f6c608648a0fe9ce5b85ee049ab43eb6ad51b1000000000e8000000002000020000000ee8da070999c8003136f5aad7fe3dd78cc4e468f9ca86b6ad60d1461cc16926f20000000fdcd5c1bc1b0ccc031c55124631bf5253ed8dc5598a2e0ceb96fb95ae7e19aa6400000006f53d7f4d8ad4b283335d7db416487c86f746e2f83d5da6817320f2a8b568d5d67758e8d6c156960a04ee75f1af802592939c6f09ce2cd7cc733e288b589b8c9 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "386369182" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20949a37c85dd901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c0000000002000000000010660000000100002000000023fd6acf24f4fdc228765986aff849e0ba017ab94d5c01d2f2051ba1420998ae000000000e80000000020000200000000c1190bb180b2ed055d7ed39c51cd6f64858a2defe705a5c383e63a72e748ea620000000864a2969c6fcc8731609954c0d2f635a2d12828dada31adb37cff3a9038beceb40000000cb07ede1ece4f5424dcd3c5de34855957fdde0397c529060b945a6023fe9e1f9db9a2e6fa574ddfc082b6e3e768d71c04821fe8daac8a6eec0255e80c6989496 iexplore.exe -
Modifies registry class 1 IoCs
Processes:
IntelInstallation.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings IntelInstallation.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 2116 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
HEU_A.exeIntelServiceUpdate.exeHEU_T.exeIntelService.exedescription pid process Token: SeDebugPrivilege 4008 HEU_A.exe Token: SeDebugPrivilege 1468 IntelServiceUpdate.exe Token: SeDebugPrivilege 2012 HEU_T.exe Token: SeDebugPrivilege 4856 IntelService.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
iexplore.exepid process 2116 iexplore.exe 2116 iexplore.exe 2116 iexplore.exe 2116 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
iexplore.exeIEXPLORE.EXEIntelServiceUpdate.exeIntelService.exepid process 2116 iexplore.exe 2116 iexplore.exe 224 IEXPLORE.EXE 224 IEXPLORE.EXE 224 IEXPLORE.EXE 224 IEXPLORE.EXE 1468 IntelServiceUpdate.exe 4856 IntelService.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
iexplore.exeIntelInstallation.exeWScript.execmd.exeHEU_A.exeIntelServiceUpdate.exeHEU_T.exeIntelService.exedescription pid process target process PID 2116 wrote to memory of 224 2116 iexplore.exe IEXPLORE.EXE PID 2116 wrote to memory of 224 2116 iexplore.exe IEXPLORE.EXE PID 2116 wrote to memory of 224 2116 iexplore.exe IEXPLORE.EXE PID 2116 wrote to memory of 4632 2116 iexplore.exe chaos.exe PID 2116 wrote to memory of 4632 2116 iexplore.exe chaos.exe PID 2116 wrote to memory of 972 2116 iexplore.exe IntelService.exe PID 2116 wrote to memory of 972 2116 iexplore.exe IntelService.exe PID 2116 wrote to memory of 972 2116 iexplore.exe IntelService.exe PID 2116 wrote to memory of 3296 2116 iexplore.exe IntelInstallation.exe PID 2116 wrote to memory of 3296 2116 iexplore.exe IntelInstallation.exe PID 2116 wrote to memory of 3296 2116 iexplore.exe IntelInstallation.exe PID 3296 wrote to memory of 5100 3296 IntelInstallation.exe WScript.exe PID 3296 wrote to memory of 5100 3296 IntelInstallation.exe WScript.exe PID 3296 wrote to memory of 5100 3296 IntelInstallation.exe WScript.exe PID 5100 wrote to memory of 1964 5100 WScript.exe cmd.exe PID 5100 wrote to memory of 1964 5100 WScript.exe cmd.exe PID 5100 wrote to memory of 1964 5100 WScript.exe cmd.exe PID 1964 wrote to memory of 4008 1964 cmd.exe HEU_A.exe PID 1964 wrote to memory of 4008 1964 cmd.exe HEU_A.exe PID 1964 wrote to memory of 4008 1964 cmd.exe HEU_A.exe PID 4008 wrote to memory of 4104 4008 HEU_A.exe schtasks.exe PID 4008 wrote to memory of 4104 4008 HEU_A.exe schtasks.exe PID 4008 wrote to memory of 4104 4008 HEU_A.exe schtasks.exe PID 4008 wrote to memory of 1468 4008 HEU_A.exe IntelServiceUpdate.exe PID 4008 wrote to memory of 1468 4008 HEU_A.exe IntelServiceUpdate.exe PID 4008 wrote to memory of 1468 4008 HEU_A.exe IntelServiceUpdate.exe PID 1468 wrote to memory of 1592 1468 IntelServiceUpdate.exe schtasks.exe PID 1468 wrote to memory of 1592 1468 IntelServiceUpdate.exe schtasks.exe PID 1468 wrote to memory of 1592 1468 IntelServiceUpdate.exe schtasks.exe PID 1964 wrote to memory of 2012 1964 cmd.exe HEU_T.exe PID 1964 wrote to memory of 2012 1964 cmd.exe HEU_T.exe PID 1964 wrote to memory of 2012 1964 cmd.exe HEU_T.exe PID 2012 wrote to memory of 2940 2012 HEU_T.exe schtasks.exe PID 2012 wrote to memory of 2940 2012 HEU_T.exe schtasks.exe PID 2012 wrote to memory of 2940 2012 HEU_T.exe schtasks.exe PID 2012 wrote to memory of 4856 2012 HEU_T.exe IntelService.exe PID 2012 wrote to memory of 4856 2012 HEU_T.exe IntelService.exe PID 2012 wrote to memory of 4856 2012 HEU_T.exe IntelService.exe PID 4856 wrote to memory of 4640 4856 IntelService.exe schtasks.exe PID 4856 wrote to memory of 4640 4856 IntelService.exe schtasks.exe PID 4856 wrote to memory of 4640 4856 IntelService.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://20.214.232.1491⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\chaos.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\chaos.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\IntelService.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\IntelService.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 3163⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\IntelInstallation.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\IntelInstallation.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\installation.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\installation.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exeHEU_A.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Intel Service Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe"C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Intel Service Update" /sc ONLOGON /tr "C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exeHEU_T.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Intel Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\IntelService\IntelService.exe"C:\Program Files (x86)\IntelService\IntelService.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Intel Service" /sc ONLOGON /tr "C:\Program Files (x86)\IntelService\IntelService.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 972 -ip 9721⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\cobalt_strike_4.7\cobaltstrike.jar"1⤵
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\cobalt_strike_4.7\cobaltstrike-client.jar"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\cobalt_strike_4.7\ddosi.org.bat" "1⤵
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -Xms512M -Xmx1024M -jar cobaltstrike-client.jar2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\IntelService\IntelService.exeFilesize
3.2MB
MD540d62eddbff45d346db54f324aa84008
SHA10f40dcddb8ae4a1eedab47e7987eef133292ab91
SHA256670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858
SHA5122274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f
-
C:\Program Files (x86)\IntelService\IntelService.exeFilesize
3.2MB
MD540d62eddbff45d346db54f324aa84008
SHA10f40dcddb8ae4a1eedab47e7987eef133292ab91
SHA256670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858
SHA5122274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f
-
C:\Program Files (x86)\IntelService\IntelService.exeFilesize
3.2MB
MD540d62eddbff45d346db54f324aa84008
SHA10f40dcddb8ae4a1eedab47e7987eef133292ab91
SHA256670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858
SHA5122274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampFilesize
50B
MD54b658913485479619a4c766b5837ba6e
SHA18452da1531968ac0563c07250a9b6b19c39452e2
SHA2569c46808b6ac7375109d648ee1f15df214999a1f41b2abeafe3381d72837d6588
SHA51228c47bef01473752d9f2ded36f226ab1fd9292a0d9dc3fb39f4ca6e4a28bf8fb6befe8ddee110239d169fe4633d8a388a158b6a8f7a03ce9f32dcd39d2cc9729
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampFilesize
50B
MD50361ae7a54226ddb1dfb908253c48715
SHA1d845751fa2ba547d6d6e981176ffb60486f91a27
SHA256b60be4835483063fbf1111791fea6f073ce58cfaae5ed15a452f624e105b6348
SHA51265454028bd434d4761a236e73f4713cbd86d94a070365150f2d41ec0dfcc7944541a373720296d9e56a88c1a2c0c2f47c073b7d2f34083b70f0e69a744ecf765
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver8C.tmpFilesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xmlFilesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\IntelService.exeFilesize
986KB
MD5b0012bc717674b713c4d89afa68a1dfd
SHA11c1ca4c4e490d6ed6f405c9950b303395356e87b
SHA256ce66c9c37a504f071193bdab0c7569fa0e97a128740f553f043b8dbb8f6c9738
SHA51279244caa733d625e1e9a3381958495e9f0c30ad66e9a6f9d8dc18a19d8657317a655542fb18d1be6d9bf174a07f2f0c689a10b147a93bfb38d88395af4deae7f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\IntelService.exe.itykbyd.partialFilesize
986KB
MD5b0012bc717674b713c4d89afa68a1dfd
SHA11c1ca4c4e490d6ed6f405c9950b303395356e87b
SHA256ce66c9c37a504f071193bdab0c7569fa0e97a128740f553f043b8dbb8f6c9738
SHA51279244caa733d625e1e9a3381958495e9f0c30ad66e9a6f9d8dc18a19d8657317a655542fb18d1be6d9bf174a07f2f0c689a10b147a93bfb38d88395af4deae7f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\chaos[1].exeFilesize
5.0MB
MD5d77bcb9e4f0ab2a9800f814bddc64796
SHA1472793ae5d68a5c56f7ff48bf6c417029be37171
SHA256c8523d5d5c12c9e454098134cc2b3af05039f85aaf6727a1871c40e747d4b807
SHA5126d88a30bad33269a2b797c4be4e13050b5ec2efa6a8bbc65ec5697a679525ede531aae5409ab202fb15df6ebc7d3903e1cbb5b72ee0754fb935b8da48ef2ad1e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\IntelService[1].exeFilesize
986KB
MD5b0012bc717674b713c4d89afa68a1dfd
SHA11c1ca4c4e490d6ed6f405c9950b303395356e87b
SHA256ce66c9c37a504f071193bdab0c7569fa0e97a128740f553f043b8dbb8f6c9738
SHA51279244caa733d625e1e9a3381958495e9f0c30ad66e9a6f9d8dc18a19d8657317a655542fb18d1be6d9bf174a07f2f0c689a10b147a93bfb38d88395af4deae7f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\chaos.exeFilesize
5.0MB
MD5d77bcb9e4f0ab2a9800f814bddc64796
SHA1472793ae5d68a5c56f7ff48bf6c417029be37171
SHA256c8523d5d5c12c9e454098134cc2b3af05039f85aaf6727a1871c40e747d4b807
SHA5126d88a30bad33269a2b797c4be4e13050b5ec2efa6a8bbc65ec5697a679525ede531aae5409ab202fb15df6ebc7d3903e1cbb5b72ee0754fb935b8da48ef2ad1e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\chaos.exe.x6xaa0d.partialFilesize
5.0MB
MD5d77bcb9e4f0ab2a9800f814bddc64796
SHA1472793ae5d68a5c56f7ff48bf6c417029be37171
SHA256c8523d5d5c12c9e454098134cc2b3af05039f85aaf6727a1871c40e747d4b807
SHA5126d88a30bad33269a2b797c4be4e13050b5ec2efa6a8bbc65ec5697a679525ede531aae5409ab202fb15df6ebc7d3903e1cbb5b72ee0754fb935b8da48ef2ad1e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\cobalt_strike_4.7.zip.k3166q2.partialFilesize
136.2MB
MD537077dded714b0566c026f75530bfbbb
SHA1bf4da5b14ac221f8293cc0ba245d96ee198e1cd3
SHA256c911016fa048c480563a7c39c6afb1b8335656e51991fc1a62f85aa6628c61f5
SHA512d306e2e1ffa1c8b9d268b263770aa1346bb9324993784554476bf3f2bf1ff12b29f2b6b9c52c3e186d9513be4aab755d98b11b32905b000b1a0f6d6c4cc55e09
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\IntelInstallation.exeFilesize
6.7MB
MD582792ba7124ecaa06893c3a6989bc70a
SHA1c7caa0f4f696e38f4adb20a3efa2334f8a18675c
SHA2567a6d23d9845bb08f5f50a89a909fc5dfc865cb77a9e44f370b56fd22d7a7f74f
SHA512907d19656886883c6c4fe10657bef9d7380be3b7c16a23d448924d33577df8f552e6c4feca379bbf14bfc4d5c390114e8ad84965bb03d97d0cad5a046371e9b0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\IntelInstallation.exe.a4pfnzj.partialFilesize
6.7MB
MD582792ba7124ecaa06893c3a6989bc70a
SHA1c7caa0f4f696e38f4adb20a3efa2334f8a18675c
SHA2567a6d23d9845bb08f5f50a89a909fc5dfc865cb77a9e44f370b56fd22d7a7f74f
SHA512907d19656886883c6c4fe10657bef9d7380be3b7c16a23d448924d33577df8f552e6c4feca379bbf14bfc4d5c390114e8ad84965bb03d97d0cad5a046371e9b0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\cobalt_strike_4.7[1].zipFilesize
136.2MB
MD537077dded714b0566c026f75530bfbbb
SHA1bf4da5b14ac221f8293cc0ba245d96ee198e1cd3
SHA256c911016fa048c480563a7c39c6afb1b8335656e51991fc1a62f85aa6628c61f5
SHA512d306e2e1ffa1c8b9d268b263770aa1346bb9324993784554476bf3f2bf1ff12b29f2b6b9c52c3e186d9513be4aab755d98b11b32905b000b1a0f6d6c4cc55e09
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exeFilesize
3.2MB
MD5e304134514f7d41aaf59ac7f33640ee6
SHA18bad53d74e0ce3b0fd45756ede792af25ce0e79a
SHA2565aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7
SHA5127ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exeFilesize
3.2MB
MD5e304134514f7d41aaf59ac7f33640ee6
SHA18bad53d74e0ce3b0fd45756ede792af25ce0e79a
SHA2565aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7
SHA5127ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exeFilesize
3.2MB
MD540d62eddbff45d346db54f324aa84008
SHA10f40dcddb8ae4a1eedab47e7987eef133292ab91
SHA256670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858
SHA5122274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exeFilesize
3.2MB
MD540d62eddbff45d346db54f324aa84008
SHA10f40dcddb8ae4a1eedab47e7987eef133292ab91
SHA256670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858
SHA5122274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installation.batFilesize
38B
MD56c394f46eece6a9afe232492a2c8c2fa
SHA1339a7e4dad0caa1c73af8c2425e64a4181ab9715
SHA256f18ee7b9e8d4edca7b374a468ef076f5172f57bb4b26a3f5acfbe9d53e5fc201
SHA5126a0ac3022ef4b98203badc24f2239c76012ba59704c333057dde6a29fd6db0137a9999c61c1ca086c5ff6404b2e3bbb12ddd56c17ea45871e976d44d640f3913
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installation.vbsFilesize
75B
MD5a1bb86ecdb375e144840f6c94ddbd20c
SHA17d12aca5e928a4558e417cf69f958ca5b8acd39e
SHA2568e814c00551b5b7e811528d270a962f65980c34dd39d2b964324448c6860a797
SHA512f95693e623afb2e5b588cdf018a53ab58fbdd8cbd015946f289edb58679b7fb4df6a0437d372a52421c69d8bbc071859b69525fe31aa570a072abd4ccb70a9da
-
C:\Users\Admin\AppData\Roaming\Logs\03-23-2023Filesize
224B
MD5042fa416c8b5643f12a1f91c374b2f0e
SHA1183cb6cbaa20d06adaad384b119a1b836f57074d
SHA25686eadac6013259e27b1017b9110c8963c0697dfecabe9818e0398dd0d75f5788
SHA512ef5d1fb5831ce86bf80dffc06c72f02fb0e68b3f348c1e20b85c525f689df533670b18694f550225f859aa7a781ec4bd5ff6b6e12c288fc180b7beccc7f7c917
-
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exeFilesize
3.2MB
MD5e304134514f7d41aaf59ac7f33640ee6
SHA18bad53d74e0ce3b0fd45756ede792af25ce0e79a
SHA2565aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7
SHA5127ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9
-
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exeFilesize
3.2MB
MD5e304134514f7d41aaf59ac7f33640ee6
SHA18bad53d74e0ce3b0fd45756ede792af25ce0e79a
SHA2565aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7
SHA5127ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9
-
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exeFilesize
3.2MB
MD5e304134514f7d41aaf59ac7f33640ee6
SHA18bad53d74e0ce3b0fd45756ede792af25ce0e79a
SHA2565aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7
SHA5127ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9
-
memory/972-149-0x0000000000400000-0x0000000000528000-memory.dmpFilesize
1.2MB
-
memory/972-150-0x00000000762C0000-0x00000000764D5000-memory.dmpFilesize
2.1MB
-
memory/972-2200-0x0000000000400000-0x0000000000528000-memory.dmpFilesize
1.2MB
-
memory/1468-1326-0x0000000000710000-0x0000000000F9A000-memory.dmpFilesize
8.5MB
-
memory/1468-1191-0x0000000006DD0000-0x0000000006DDA000-memory.dmpFilesize
40KB
-
memory/1468-1104-0x00000000054F0000-0x0000000005500000-memory.dmpFilesize
64KB
-
memory/1468-1386-0x00000000054F0000-0x0000000005500000-memory.dmpFilesize
64KB
-
memory/1468-1088-0x0000000000710000-0x0000000000F9A000-memory.dmpFilesize
8.5MB
-
memory/1468-1086-0x0000000000710000-0x0000000000F9A000-memory.dmpFilesize
8.5MB
-
memory/1468-1061-0x0000000000710000-0x0000000000F9A000-memory.dmpFilesize
8.5MB
-
memory/1608-2235-0x00000000009A0000-0x00000000009A1000-memory.dmpFilesize
4KB
-
memory/2012-1680-0x00000000001D0000-0x0000000000A5C000-memory.dmpFilesize
8.5MB
-
memory/2012-1602-0x00000000001D0000-0x0000000000A5C000-memory.dmpFilesize
8.5MB
-
memory/2012-1623-0x00000000001D0000-0x0000000000A5C000-memory.dmpFilesize
8.5MB
-
memory/2012-1624-0x00000000001D0000-0x0000000000A5C000-memory.dmpFilesize
8.5MB
-
memory/2012-1626-0x00000000054D0000-0x00000000054E0000-memory.dmpFilesize
64KB
-
memory/4008-916-0x0000000000BC0000-0x000000000144A000-memory.dmpFilesize
8.5MB
-
memory/4008-924-0x0000000005E30000-0x00000000063D4000-memory.dmpFilesize
5.6MB
-
memory/4008-886-0x0000000000BC0000-0x000000000144A000-memory.dmpFilesize
8.5MB
-
memory/4008-919-0x0000000000BC0000-0x000000000144A000-memory.dmpFilesize
8.5MB
-
memory/4008-926-0x0000000005710000-0x00000000057A2000-memory.dmpFilesize
584KB
-
memory/4008-1063-0x0000000000BC0000-0x000000000144A000-memory.dmpFilesize
8.5MB
-
memory/4008-1026-0x0000000006B50000-0x0000000006B8C000-memory.dmpFilesize
240KB
-
memory/4008-972-0x0000000006720000-0x0000000006732000-memory.dmpFilesize
72KB
-
memory/4008-964-0x0000000005B80000-0x0000000005BE6000-memory.dmpFilesize
408KB
-
memory/4008-941-0x0000000005800000-0x0000000005810000-memory.dmpFilesize
64KB
-
memory/4256-2248-0x00000000010D0000-0x00000000010D1000-memory.dmpFilesize
4KB
-
memory/4256-2257-0x00000000010D0000-0x00000000010D1000-memory.dmpFilesize
4KB
-
memory/4856-2202-0x0000000006100000-0x0000000006110000-memory.dmpFilesize
64KB
-
memory/4856-2201-0x0000000000F10000-0x000000000179C000-memory.dmpFilesize
8.5MB
-
memory/4856-1708-0x0000000006100000-0x0000000006110000-memory.dmpFilesize
64KB
-
memory/4856-1689-0x0000000000F10000-0x000000000179C000-memory.dmpFilesize
8.5MB
-
memory/4856-1702-0x0000000000F10000-0x000000000179C000-memory.dmpFilesize
8.5MB
-
memory/4856-1700-0x0000000000F10000-0x000000000179C000-memory.dmpFilesize
8.5MB