quasar | hxxp://20[.]214[.]232[.]149

Analysis

max time kernel
93s
max time network
191s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://20.214.232.149

Score

10^/10

quasar heu_a heu_t evasion spyware themida trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

HEU_A

hacker.548848.xyz:4000

Mutex

QSR_MUTEX_y7qRPJXwrKoCCGjifB

Attributes

encryption_key
zOtqF7XIGfeSwK3tze2l
install_name
IntelServiceUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Intel Service Update
subdirectory
IntelServiceUpdate

Extracted

Family

quasar

Version

1.3.0.0

Botnet

HEU_T

81.68.120.79:4000

Mutex

QSR_MUTEX_kWiUJRAFspPTbob5of

Attributes

encryption_key
7GHKJ6ZgFY9nVhHS7b4U
install_name
IntelService.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Intel Service
subdirectory
IntelService

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4008-916-0x0000000000BC0000-0x000000000144A000-memory.dmp	family_quasar
behavioral1/memory/4008-919-0x0000000000BC0000-0x000000000144A000-memory.dmp	family_quasar
behavioral1/memory/4008-1063-0x0000000000BC0000-0x000000000144A000-memory.dmp	family_quasar
behavioral1/memory/1468-1086-0x0000000000710000-0x0000000000F9A000-memory.dmp	family_quasar
behavioral1/memory/1468-1088-0x0000000000710000-0x0000000000F9A000-memory.dmp	family_quasar
behavioral1/memory/2012-1623-0x00000000001D0000-0x0000000000A5C000-memory.dmp	family_quasar
behavioral1/memory/2012-1624-0x00000000001D0000-0x0000000000A5C000-memory.dmp	family_quasar
behavioral1/memory/2012-1680-0x00000000001D0000-0x0000000000A5C000-memory.dmp	family_quasar
behavioral1/memory/4856-1700-0x0000000000F10000-0x000000000179C000-memory.dmp	family_quasar
behavioral1/memory/4856-1702-0x0000000000F10000-0x000000000179C000-memory.dmp	family_quasar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

HEU_A.exeIntelServiceUpdate.exeHEU_T.exeIntelService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	HEU_A.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IntelServiceUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	HEU_T.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IntelService.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HEU_T.exeIntelService.exeHEU_A.exeIntelServiceUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HEU_T.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	HEU_T.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HEU_A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	HEU_A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelServiceUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelServiceUpdate.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeIntelInstallation.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	IntelInstallation.exe

Executes dropped EXE 7 IoCs

Processes:

chaos.exeIntelService.exeIntelInstallation.exeHEU_A.exeIntelServiceUpdate.exeHEU_T.exeIntelService.exe

pid process

4632 chaos.exe
972 IntelService.exe
3296 IntelInstallation.exe
4008 HEU_A.exe
1468 IntelServiceUpdate.exe
2012 HEU_T.exe
4856 IntelService.exe

pid	process
4632	chaos.exe
972	IntelService.exe
3296	IntelInstallation.exe
4008	HEU_A.exe
1468	IntelServiceUpdate.exe
2012	HEU_T.exe
4856	IntelService.exe

Themida packer 20 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe	themida
behavioral1/memory/4008-916-0x0000000000BC0000-0x000000000144A000-memory.dmp	themida
behavioral1/memory/4008-919-0x0000000000BC0000-0x000000000144A000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe	themida
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe	themida
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe	themida
behavioral1/memory/4008-1063-0x0000000000BC0000-0x000000000144A000-memory.dmp	themida
behavioral1/memory/1468-1086-0x0000000000710000-0x0000000000F9A000-memory.dmp	themida
behavioral1/memory/1468-1088-0x0000000000710000-0x0000000000F9A000-memory.dmp	themida
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe	themida
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe	themida
behavioral1/memory/2012-1623-0x00000000001D0000-0x0000000000A5C000-memory.dmp	themida
behavioral1/memory/2012-1624-0x00000000001D0000-0x0000000000A5C000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe	themida
C:\Program Files (x86)\IntelService\IntelService.exe	themida
C:\Program Files (x86)\IntelService\IntelService.exe	themida
behavioral1/memory/2012-1680-0x00000000001D0000-0x0000000000A5C000-memory.dmp	themida
behavioral1/memory/4856-1700-0x0000000000F10000-0x000000000179C000-memory.dmp	themida
behavioral1/memory/4856-1702-0x0000000000F10000-0x000000000179C000-memory.dmp	themida
C:\Program Files (x86)\IntelService\IntelService.exe	themida

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

HEU_A.exeIntelServiceUpdate.exeHEU_T.exeIntelService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HEU_A.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelServiceUpdate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HEU_T.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelService.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

58 ip-api.com

flow	ioc
58	ip-api.com

Drops file in System32 directory 3 IoCs

Processes:

IntelServiceUpdate.exeHEU_A.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\IntelServiceUpdate	IntelServiceUpdate.exe
File opened for modification	C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe	HEU_A.exe
File opened for modification	C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe	IntelServiceUpdate.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

HEU_A.exeIntelServiceUpdate.exeHEU_T.exeIntelService.exe

pid process

4008 HEU_A.exe
1468 IntelServiceUpdate.exe
2012 HEU_T.exe
4856 IntelService.exe

pid	process
4008	HEU_A.exe
1468	IntelServiceUpdate.exe
2012	HEU_T.exe
4856	IntelService.exe

Drops file in Program Files directory 3 IoCs

Processes:

HEU_T.exeIntelService.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\IntelService\IntelService.exe	HEU_T.exe
File opened for modification	C:\Program Files (x86)\IntelService\IntelService.exe	IntelService.exe
File opened for modification	C:\Program Files (x86)\IntelService	IntelService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3344 972 WerFault.exe IntelService.exe
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4104 schtasks.exe
1592 schtasks.exe
2940 schtasks.exe
4640 schtasks.exe
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 44 Go-http-client/1.1
HTTP User-Agent header 45 Go-http-client/1.1

pid	pid_target	process	target process
3344	972	WerFault.exe	IntelService.exe

pid	process
4104	schtasks.exe
1592	schtasks.exe
2940	schtasks.exe
4640	schtasks.exe

description	flow	ioc
HTTP User-Agent header	44	Go-http-client/1.1
HTTP User-Agent header	45	Go-http-client/1.1

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d3273793ae45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50529233c85dd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{58B19919-C9BB-11ED-9F77-EA1737350EF8} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31022536"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31022536"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "776948260"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c000000000200000000001066000000010000200000004bbdbd02fd35169ccc5b5ff8980e90a89b157534c133f1602c3a5bfe01a1cddb000000000e8000000002000020000000efb6ccab02f632160b5a721475de148b11ae4584905c40cb1dce45c2c272a72720000000d82432d162c8ca93791da94cb20f5c260c3f23338f475e72670fac3c31d4397940000000326daaa9398499131eec6278113154ece3c0b2bed60120786dea7364bc2b576edd164c7bc8d47f071d5318456b92139a568ca9823ec2f062437f2b0d77b1b212	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{5F2C1E62-7A1C-4F32-B17E-17B465B9B0DB}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "776948260"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 203b472fc85dd901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705f232fc85dd901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c00000000020000000000106600000001000020000000baca6b82564892a9857dd6ce3eb4dd75e6ffb00d0aefdc86b7fc70fb141d42ac000000000e800000000200002000000058763324ac30cb247f99af5b83d6aa92b3728e2276fe8c1073a6f5063dcb103620000000bc1227b20fe347080ffbb01321fa5ba11c86e448c506fbd4e407bb4109fc177c40000000a17957e81834ea395933c2549dc391c9063d91a12980bd7cfe15feb609407dae57b149cf49bda0c27b2f813c9bdaf9043b81e65c8e8af25abfb9357bf1af499e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c00000000020000000000106600000001000020000000f3be62642dc8d51cf30ac87453f6c608648a0fe9ce5b85ee049ab43eb6ad51b1000000000e8000000002000020000000ee8da070999c8003136f5aad7fe3dd78cc4e468f9ca86b6ad60d1461cc16926f20000000fdcd5c1bc1b0ccc031c55124631bf5253ed8dc5598a2e0ceb96fb95ae7e19aa6400000006f53d7f4d8ad4b283335d7db416487c86f746e2f83d5da6817320f2a8b568d5d67758e8d6c156960a04ee75f1af802592939c6f09ce2cd7cc733e288b589b8c9	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "386369182"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20949a37c85dd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000038a9e23718fe574b84afdc36f043bb4c0000000002000000000010660000000100002000000023fd6acf24f4fdc228765986aff849e0ba017ab94d5c01d2f2051ba1420998ae000000000e80000000020000200000000c1190bb180b2ed055d7ed39c51cd6f64858a2defe705a5c383e63a72e748ea620000000864a2969c6fcc8731609954c0d2f635a2d12828dada31adb37cff3a9038beceb40000000cb07ede1ece4f5424dcd3c5de34855957fdde0397c529060b945a6023fe9e1f9db9a2e6fa574ddfc082b6e3e768d71c04821fe8daac8a6eec0255e80c6989496	iexplore.exe

Modifies registry class 1 IoCs

Processes:

IntelInstallation.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings IntelInstallation.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2116 iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	IntelInstallation.exe

pid	process
2116	iexplore.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

HEU_A.exeIntelServiceUpdate.exeHEU_T.exeIntelService.exe

description	pid	process
Token: SeDebugPrivilege	4008	HEU_A.exe
Token: SeDebugPrivilege	1468	IntelServiceUpdate.exe
Token: SeDebugPrivilege	2012	HEU_T.exe
Token: SeDebugPrivilege	4856	IntelService.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exe

pid process

2116 iexplore.exe
2116 iexplore.exe
2116 iexplore.exe
2116 iexplore.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIntelServiceUpdate.exeIntelService.exe

pid process

2116 iexplore.exe
2116 iexplore.exe
224 IEXPLORE.EXE
224 IEXPLORE.EXE
224 IEXPLORE.EXE
224 IEXPLORE.EXE
1468 IntelServiceUpdate.exe
4856 IntelService.exe

pid	process
2116	iexplore.exe
2116	iexplore.exe
2116	iexplore.exe
2116	iexplore.exe

pid	process
2116	iexplore.exe
2116	iexplore.exe
224	IEXPLORE.EXE
224	IEXPLORE.EXE
224	IEXPLORE.EXE
224	IEXPLORE.EXE
1468	IntelServiceUpdate.exe
4856	IntelService.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

iexplore.exeIntelInstallation.exeWScript.execmd.exeHEU_A.exeIntelServiceUpdate.exeHEU_T.exeIntelService.exe

description	pid	process	target process
PID 2116 wrote to memory of 224	2116	iexplore.exe	IEXPLORE.EXE
PID 2116 wrote to memory of 224	2116	iexplore.exe	IEXPLORE.EXE
PID 2116 wrote to memory of 224	2116	iexplore.exe	IEXPLORE.EXE
PID 2116 wrote to memory of 4632	2116	iexplore.exe	chaos.exe
PID 2116 wrote to memory of 4632	2116	iexplore.exe	chaos.exe
PID 2116 wrote to memory of 972	2116	iexplore.exe	IntelService.exe
PID 2116 wrote to memory of 972	2116	iexplore.exe	IntelService.exe
PID 2116 wrote to memory of 972	2116	iexplore.exe	IntelService.exe
PID 2116 wrote to memory of 3296	2116	iexplore.exe	IntelInstallation.exe
PID 2116 wrote to memory of 3296	2116	iexplore.exe	IntelInstallation.exe
PID 2116 wrote to memory of 3296	2116	iexplore.exe	IntelInstallation.exe
PID 3296 wrote to memory of 5100	3296	IntelInstallation.exe	WScript.exe
PID 3296 wrote to memory of 5100	3296	IntelInstallation.exe	WScript.exe
PID 3296 wrote to memory of 5100	3296	IntelInstallation.exe	WScript.exe
PID 5100 wrote to memory of 1964	5100	WScript.exe	cmd.exe
PID 5100 wrote to memory of 1964	5100	WScript.exe	cmd.exe
PID 5100 wrote to memory of 1964	5100	WScript.exe	cmd.exe
PID 1964 wrote to memory of 4008	1964	cmd.exe	HEU_A.exe
PID 1964 wrote to memory of 4008	1964	cmd.exe	HEU_A.exe
PID 1964 wrote to memory of 4008	1964	cmd.exe	HEU_A.exe
PID 4008 wrote to memory of 4104	4008	HEU_A.exe	schtasks.exe
PID 4008 wrote to memory of 4104	4008	HEU_A.exe	schtasks.exe
PID 4008 wrote to memory of 4104	4008	HEU_A.exe	schtasks.exe
PID 4008 wrote to memory of 1468	4008	HEU_A.exe	IntelServiceUpdate.exe
PID 4008 wrote to memory of 1468	4008	HEU_A.exe	IntelServiceUpdate.exe
PID 4008 wrote to memory of 1468	4008	HEU_A.exe	IntelServiceUpdate.exe
PID 1468 wrote to memory of 1592	1468	IntelServiceUpdate.exe	schtasks.exe
PID 1468 wrote to memory of 1592	1468	IntelServiceUpdate.exe	schtasks.exe
PID 1468 wrote to memory of 1592	1468	IntelServiceUpdate.exe	schtasks.exe
PID 1964 wrote to memory of 2012	1964	cmd.exe	HEU_T.exe
PID 1964 wrote to memory of 2012	1964	cmd.exe	HEU_T.exe
PID 1964 wrote to memory of 2012	1964	cmd.exe	HEU_T.exe
PID 2012 wrote to memory of 2940	2012	HEU_T.exe	schtasks.exe
PID 2012 wrote to memory of 2940	2012	HEU_T.exe	schtasks.exe
PID 2012 wrote to memory of 2940	2012	HEU_T.exe	schtasks.exe
PID 2012 wrote to memory of 4856	2012	HEU_T.exe	IntelService.exe
PID 2012 wrote to memory of 4856	2012	HEU_T.exe	IntelService.exe
PID 2012 wrote to memory of 4856	2012	HEU_T.exe	IntelService.exe
PID 4856 wrote to memory of 4640	4856	IntelService.exe	schtasks.exe
PID 4856 wrote to memory of 4640	4856	IntelService.exe	schtasks.exe
PID 4856 wrote to memory of 4640	4856	IntelService.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://20.214.232.149
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:224

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\chaos.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\chaos.exe"
2⤵
- Executes dropped EXE
PID:4632

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\IntelService.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\IntelService.exe"
2⤵
- Executes dropped EXE
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 316
3⤵
- Program crash
PID:3344

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\IntelInstallation.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\IntelInstallation.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\installation.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\installation.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe
HEU_A.exe
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Intel Service Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:4104

C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe
"C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe"
6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Intel Service Update" /sc ONLOGON /tr "C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:1592

C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe
HEU_T.exe
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Intel Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:2940

C:\Program Files (x86)\IntelService\IntelService.exe
"C:\Program Files (x86)\IntelService\IntelService.exe"
6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Intel Service" /sc ONLOGON /tr "C:\Program Files (x86)\IntelService\IntelService.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 972 -ip 972
1⤵
PID:2676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2520

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\cobalt_strike_4.7\cobaltstrike.jar"
1⤵
PID:1608

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\cobalt_strike_4.7\cobaltstrike-client.jar"
1⤵
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\cobalt_strike_4.7\ddosi.org.bat" "
1⤵
PID:1260

C:\ProgramData\Oracle\Java\javapath\java.exe
java -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -Xms512M -Xmx1024M -jar cobaltstrike-client.jar
2⤵
PID:1560

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IntelService\IntelService.exe
Filesize
3.2MB

MD5
40d62eddbff45d346db54f324aa84008

SHA1
0f40dcddb8ae4a1eedab47e7987eef133292ab91

SHA256
670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858

SHA512
2274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f

Download Submit
C:\Program Files (x86)\IntelService\IntelService.exe
Filesize
3.2MB

MD5
40d62eddbff45d346db54f324aa84008

SHA1
0f40dcddb8ae4a1eedab47e7987eef133292ab91

SHA256
670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858

SHA512
2274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f

Download Submit
C:\Program Files (x86)\IntelService\IntelService.exe
Filesize
3.2MB

MD5
40d62eddbff45d346db54f324aa84008

SHA1
0f40dcddb8ae4a1eedab47e7987eef133292ab91

SHA256
670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858

SHA512
2274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
4b658913485479619a4c766b5837ba6e

SHA1
8452da1531968ac0563c07250a9b6b19c39452e2

SHA256
9c46808b6ac7375109d648ee1f15df214999a1f41b2abeafe3381d72837d6588

SHA512
28c47bef01473752d9f2ded36f226ab1fd9292a0d9dc3fb39f4ca6e4a28bf8fb6befe8ddee110239d169fe4633d8a388a158b6a8f7a03ce9f32dcd39d2cc9729

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
0361ae7a54226ddb1dfb908253c48715

SHA1
d845751fa2ba547d6d6e981176ffb60486f91a27

SHA256
b60be4835483063fbf1111791fea6f073ce58cfaae5ed15a452f624e105b6348

SHA512
65454028bd434d4761a236e73f4713cbd86d94a070365150f2d41ec0dfcc7944541a373720296d9e56a88c1a2c0c2f47c073b7d2f34083b70f0e69a744ecf765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver8C.tmp
Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml
Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\IntelService.exe
Filesize
986KB

MD5
b0012bc717674b713c4d89afa68a1dfd

SHA1
1c1ca4c4e490d6ed6f405c9950b303395356e87b

SHA256
ce66c9c37a504f071193bdab0c7569fa0e97a128740f553f043b8dbb8f6c9738

SHA512
79244caa733d625e1e9a3381958495e9f0c30ad66e9a6f9d8dc18a19d8657317a655542fb18d1be6d9bf174a07f2f0c689a10b147a93bfb38d88395af4deae7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\IntelService.exe.itykbyd.partial
Filesize
986KB

MD5
b0012bc717674b713c4d89afa68a1dfd

SHA1
1c1ca4c4e490d6ed6f405c9950b303395356e87b

SHA256
ce66c9c37a504f071193bdab0c7569fa0e97a128740f553f043b8dbb8f6c9738

SHA512
79244caa733d625e1e9a3381958495e9f0c30ad66e9a6f9d8dc18a19d8657317a655542fb18d1be6d9bf174a07f2f0c689a10b147a93bfb38d88395af4deae7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\chaos[1].exe
Filesize
5.0MB

MD5
d77bcb9e4f0ab2a9800f814bddc64796

SHA1
472793ae5d68a5c56f7ff48bf6c417029be37171

SHA256
c8523d5d5c12c9e454098134cc2b3af05039f85aaf6727a1871c40e747d4b807

SHA512
6d88a30bad33269a2b797c4be4e13050b5ec2efa6a8bbc65ec5697a679525ede531aae5409ab202fb15df6ebc7d3903e1cbb5b72ee0754fb935b8da48ef2ad1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\IntelService[1].exe
Filesize
986KB

MD5
b0012bc717674b713c4d89afa68a1dfd

SHA1
1c1ca4c4e490d6ed6f405c9950b303395356e87b

SHA256
ce66c9c37a504f071193bdab0c7569fa0e97a128740f553f043b8dbb8f6c9738

SHA512
79244caa733d625e1e9a3381958495e9f0c30ad66e9a6f9d8dc18a19d8657317a655542fb18d1be6d9bf174a07f2f0c689a10b147a93bfb38d88395af4deae7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\chaos.exe
Filesize
5.0MB

MD5
d77bcb9e4f0ab2a9800f814bddc64796

SHA1
472793ae5d68a5c56f7ff48bf6c417029be37171

SHA256
c8523d5d5c12c9e454098134cc2b3af05039f85aaf6727a1871c40e747d4b807

SHA512
6d88a30bad33269a2b797c4be4e13050b5ec2efa6a8bbc65ec5697a679525ede531aae5409ab202fb15df6ebc7d3903e1cbb5b72ee0754fb935b8da48ef2ad1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\chaos.exe.x6xaa0d.partial
Filesize
5.0MB

MD5
d77bcb9e4f0ab2a9800f814bddc64796

SHA1
472793ae5d68a5c56f7ff48bf6c417029be37171

SHA256
c8523d5d5c12c9e454098134cc2b3af05039f85aaf6727a1871c40e747d4b807

SHA512
6d88a30bad33269a2b797c4be4e13050b5ec2efa6a8bbc65ec5697a679525ede531aae5409ab202fb15df6ebc7d3903e1cbb5b72ee0754fb935b8da48ef2ad1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\S1Q31HZS\cobalt_strike_4.7.zip.k3166q2.partial
Filesize
136.2MB

MD5
37077dded714b0566c026f75530bfbbb

SHA1
bf4da5b14ac221f8293cc0ba245d96ee198e1cd3

SHA256
c911016fa048c480563a7c39c6afb1b8335656e51991fc1a62f85aa6628c61f5

SHA512
d306e2e1ffa1c8b9d268b263770aa1346bb9324993784554476bf3f2bf1ff12b29f2b6b9c52c3e186d9513be4aab755d98b11b32905b000b1a0f6d6c4cc55e09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\IntelInstallation.exe
Filesize
6.7MB

MD5
82792ba7124ecaa06893c3a6989bc70a

SHA1
c7caa0f4f696e38f4adb20a3efa2334f8a18675c

SHA256
7a6d23d9845bb08f5f50a89a909fc5dfc865cb77a9e44f370b56fd22d7a7f74f

SHA512
907d19656886883c6c4fe10657bef9d7380be3b7c16a23d448924d33577df8f552e6c4feca379bbf14bfc4d5c390114e8ad84965bb03d97d0cad5a046371e9b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\IntelInstallation.exe.a4pfnzj.partial
Filesize
6.7MB

MD5
82792ba7124ecaa06893c3a6989bc70a

SHA1
c7caa0f4f696e38f4adb20a3efa2334f8a18675c

SHA256
7a6d23d9845bb08f5f50a89a909fc5dfc865cb77a9e44f370b56fd22d7a7f74f

SHA512
907d19656886883c6c4fe10657bef9d7380be3b7c16a23d448924d33577df8f552e6c4feca379bbf14bfc4d5c390114e8ad84965bb03d97d0cad5a046371e9b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\cobalt_strike_4.7[1].zip
Filesize
136.2MB

MD5
37077dded714b0566c026f75530bfbbb

SHA1
bf4da5b14ac221f8293cc0ba245d96ee198e1cd3

SHA256
c911016fa048c480563a7c39c6afb1b8335656e51991fc1a62f85aa6628c61f5

SHA512
d306e2e1ffa1c8b9d268b263770aa1346bb9324993784554476bf3f2bf1ff12b29f2b6b9c52c3e186d9513be4aab755d98b11b32905b000b1a0f6d6c4cc55e09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe
Filesize
3.2MB

MD5
e304134514f7d41aaf59ac7f33640ee6

SHA1
8bad53d74e0ce3b0fd45756ede792af25ce0e79a

SHA256
5aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7

SHA512
7ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe
Filesize
3.2MB

MD5
e304134514f7d41aaf59ac7f33640ee6

SHA1
8bad53d74e0ce3b0fd45756ede792af25ce0e79a

SHA256
5aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7

SHA512
7ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe
Filesize
3.2MB

MD5
40d62eddbff45d346db54f324aa84008

SHA1
0f40dcddb8ae4a1eedab47e7987eef133292ab91

SHA256
670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858

SHA512
2274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe
Filesize
3.2MB

MD5
40d62eddbff45d346db54f324aa84008

SHA1
0f40dcddb8ae4a1eedab47e7987eef133292ab91

SHA256
670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858

SHA512
2274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installation.bat
Filesize
38B

MD5
6c394f46eece6a9afe232492a2c8c2fa

SHA1
339a7e4dad0caa1c73af8c2425e64a4181ab9715

SHA256
f18ee7b9e8d4edca7b374a468ef076f5172f57bb4b26a3f5acfbe9d53e5fc201

SHA512
6a0ac3022ef4b98203badc24f2239c76012ba59704c333057dde6a29fd6db0137a9999c61c1ca086c5ff6404b2e3bbb12ddd56c17ea45871e976d44d640f3913

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installation.vbs
Filesize
75B

MD5
a1bb86ecdb375e144840f6c94ddbd20c

SHA1
7d12aca5e928a4558e417cf69f958ca5b8acd39e

SHA256
8e814c00551b5b7e811528d270a962f65980c34dd39d2b964324448c6860a797

SHA512
f95693e623afb2e5b588cdf018a53ab58fbdd8cbd015946f289edb58679b7fb4df6a0437d372a52421c69d8bbc071859b69525fe31aa570a072abd4ccb70a9da

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\03-23-2023
Filesize
224B

MD5
042fa416c8b5643f12a1f91c374b2f0e

SHA1
183cb6cbaa20d06adaad384b119a1b836f57074d

SHA256
86eadac6013259e27b1017b9110c8963c0697dfecabe9818e0398dd0d75f5788

SHA512
ef5d1fb5831ce86bf80dffc06c72f02fb0e68b3f348c1e20b85c525f689df533670b18694f550225f859aa7a781ec4bd5ff6b6e12c288fc180b7beccc7f7c917

Download Submit
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe
Filesize
3.2MB

MD5
e304134514f7d41aaf59ac7f33640ee6

SHA1
8bad53d74e0ce3b0fd45756ede792af25ce0e79a

SHA256
5aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7

SHA512
7ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9

Download Submit
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe
Filesize
3.2MB

MD5
e304134514f7d41aaf59ac7f33640ee6

SHA1
8bad53d74e0ce3b0fd45756ede792af25ce0e79a

SHA256
5aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7

SHA512
7ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9

Download Submit
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe
Filesize
3.2MB

MD5
e304134514f7d41aaf59ac7f33640ee6

SHA1
8bad53d74e0ce3b0fd45756ede792af25ce0e79a

SHA256
5aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7

SHA512
7ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9

Download Submit
memory/972-149-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/972-150-0x00000000762C0000-0x00000000764D5000-memory.dmp

Filesize
2.1MB

Download
memory/972-2200-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/1468-1326-0x0000000000710000-0x0000000000F9A000-memory.dmp

Filesize
8.5MB

Download
memory/1468-1191-0x0000000006DD0000-0x0000000006DDA000-memory.dmp

Filesize
40KB

Download
memory/1468-1104-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/1468-1386-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/1468-1088-0x0000000000710000-0x0000000000F9A000-memory.dmp

Filesize
8.5MB

Download
memory/1468-1086-0x0000000000710000-0x0000000000F9A000-memory.dmp

Filesize
8.5MB

Download
memory/1468-1061-0x0000000000710000-0x0000000000F9A000-memory.dmp

Filesize
8.5MB

Download
memory/1608-2235-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2012-1680-0x00000000001D0000-0x0000000000A5C000-memory.dmp

Filesize
8.5MB

Download
memory/2012-1602-0x00000000001D0000-0x0000000000A5C000-memory.dmp

Filesize
8.5MB

Download
memory/2012-1623-0x00000000001D0000-0x0000000000A5C000-memory.dmp

Filesize
8.5MB

Download
memory/2012-1624-0x00000000001D0000-0x0000000000A5C000-memory.dmp

Filesize
8.5MB

Download
memory/2012-1626-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/4008-916-0x0000000000BC0000-0x000000000144A000-memory.dmp

Filesize
8.5MB

Download
memory/4008-924-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/4008-886-0x0000000000BC0000-0x000000000144A000-memory.dmp

Filesize
8.5MB

Download
memory/4008-919-0x0000000000BC0000-0x000000000144A000-memory.dmp

Filesize
8.5MB

Download
memory/4008-926-0x0000000005710000-0x00000000057A2000-memory.dmp

Filesize
584KB

Download
memory/4008-1063-0x0000000000BC0000-0x000000000144A000-memory.dmp

Filesize
8.5MB

Download
memory/4008-1026-0x0000000006B50000-0x0000000006B8C000-memory.dmp

Filesize
240KB

Download
memory/4008-972-0x0000000006720000-0x0000000006732000-memory.dmp

Filesize
72KB

Download
memory/4008-964-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/4008-941-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/4256-2248-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/4256-2257-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/4856-2202-0x0000000006100000-0x0000000006110000-memory.dmp

Filesize
64KB

Download
memory/4856-2201-0x0000000000F10000-0x000000000179C000-memory.dmp

Filesize
8.5MB

Download
memory/4856-1708-0x0000000006100000-0x0000000006110000-memory.dmp

Filesize
64KB

Download
memory/4856-1689-0x0000000000F10000-0x000000000179C000-memory.dmp

Filesize
8.5MB

Download
memory/4856-1702-0x0000000000F10000-0x000000000179C000-memory.dmp

Filesize
8.5MB

Download
memory/4856-1700-0x0000000000F10000-0x000000000179C000-memory.dmp

Filesize
8.5MB

Download