quasar | 7a6d23d9845bb08f5f50a89a909fc5dfc865cb77a9e44f370b56fd22d7a7f74f

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-03-2023 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

6.7MB
MD5

82792ba7124ecaa06893c3a6989bc70a
SHA1

c7caa0f4f696e38f4adb20a3efa2334f8a18675c
SHA256

7a6d23d9845bb08f5f50a89a909fc5dfc865cb77a9e44f370b56fd22d7a7f74f
SHA512

907d19656886883c6c4fe10657bef9d7380be3b7c16a23d448924d33577df8f552e6c4feca379bbf14bfc4d5c390114e8ad84965bb03d97d0cad5a046371e9b0
SSDEEP

196608:SdpVzj3zsdu95DsmQDzgnxUd9B0IETkQHXrjAYaUxHfl:eVzjjsdAsNzt9OIETkSXrj9txHfl

Score

10^/10

quasar heu_a heu_t evasion spyware themida trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

HEU_A

hacker.548848.xyz:4000

Mutex

QSR_MUTEX_y7qRPJXwrKoCCGjifB

Attributes

encryption_key
zOtqF7XIGfeSwK3tze2l
install_name
IntelServiceUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Intel Service Update
subdirectory
IntelServiceUpdate

Extracted

Family

quasar

Version

1.3.0.0

Botnet

HEU_T

81.68.120.79:4000

Mutex

QSR_MUTEX_kWiUJRAFspPTbob5of

Attributes

encryption_key
7GHKJ6ZgFY9nVhHS7b4U
install_name
IntelService.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Intel Service
subdirectory
IntelService

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1944-72-0x0000000000040000-0x00000000008CA000-memory.dmp	family_quasar
behavioral1/memory/1944-74-0x0000000000040000-0x00000000008CA000-memory.dmp	family_quasar
behavioral1/memory/1944-83-0x0000000000040000-0x00000000008CA000-memory.dmp	family_quasar
behavioral1/memory/2004-91-0x0000000000D80000-0x000000000160A000-memory.dmp	family_quasar
behavioral1/memory/1588-96-0x0000000000990000-0x000000000121C000-memory.dmp	family_quasar
behavioral1/memory/2004-98-0x0000000000D80000-0x000000000160A000-memory.dmp	family_quasar
behavioral1/memory/1588-97-0x0000000000990000-0x000000000121C000-memory.dmp	family_quasar
behavioral1/memory/2004-99-0x0000000000D80000-0x000000000160A000-memory.dmp	family_quasar
behavioral1/memory/1588-109-0x0000000000990000-0x000000000121C000-memory.dmp	family_quasar
behavioral1/memory/860-116-0x0000000000C10000-0x000000000149C000-memory.dmp	family_quasar
behavioral1/memory/860-117-0x0000000000C10000-0x000000000149C000-memory.dmp	family_quasar

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

HEU_A.exeIntelServiceUpdate.exeHEU_T.exeIntelService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	HEU_A.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IntelServiceUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	HEU_T.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IntelService.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IntelServiceUpdate.exeHEU_T.exeIntelService.exeHEU_A.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelServiceUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HEU_T.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	HEU_T.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HEU_A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	HEU_A.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelServiceUpdate.exe

Executes dropped EXE 4 IoCs

Processes:

HEU_A.exeIntelServiceUpdate.exeHEU_T.exeIntelService.exe

pid process

1944 HEU_A.exe
2004 IntelServiceUpdate.exe
1588 HEU_T.exe
860 IntelService.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.exeHEU_A.exeHEU_T.exe

pid process

2036 cmd.exe
1944 HEU_A.exe
2036 cmd.exe
1588 HEU_T.exe

pid	process
1944	HEU_A.exe
2004	IntelServiceUpdate.exe
1588	HEU_T.exe
860	IntelService.exe

pid	process
2036	cmd.exe
1944	HEU_A.exe
2036	cmd.exe
1588	HEU_T.exe

Themida packer 25 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe	themida
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe	themida
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe	themida
behavioral1/memory/1944-72-0x0000000000040000-0x00000000008CA000-memory.dmp	themida
behavioral1/memory/1944-74-0x0000000000040000-0x00000000008CA000-memory.dmp	themida
\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe	themida
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe	themida
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe	themida
behavioral1/memory/1944-83-0x0000000000040000-0x00000000008CA000-memory.dmp	themida
\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe	themida
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe	themida
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe	themida
behavioral1/memory/2004-91-0x0000000000D80000-0x000000000160A000-memory.dmp	themida
behavioral1/memory/1588-96-0x0000000000990000-0x000000000121C000-memory.dmp	themida
behavioral1/memory/2004-98-0x0000000000D80000-0x000000000160A000-memory.dmp	themida
behavioral1/memory/1588-97-0x0000000000990000-0x000000000121C000-memory.dmp	themida
behavioral1/memory/2004-99-0x0000000000D80000-0x000000000160A000-memory.dmp	themida
\Program Files (x86)\IntelService\IntelService.exe	themida
C:\Program Files (x86)\IntelService\IntelService.exe	themida
C:\Program Files (x86)\IntelService\IntelService.exe	themida
behavioral1/memory/1588-109-0x0000000000990000-0x000000000121C000-memory.dmp	themida
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe	themida
behavioral1/memory/860-116-0x0000000000C10000-0x000000000149C000-memory.dmp	themida
behavioral1/memory/860-117-0x0000000000C10000-0x000000000149C000-memory.dmp	themida
C:\Program Files (x86)\IntelService\IntelService.exe	themida

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

HEU_A.exeIntelServiceUpdate.exeHEU_T.exeIntelService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HEU_A.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelServiceUpdate.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HEU_T.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelService.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

flow	ioc
1	ip-api.com

Drops file in System32 directory 3 IoCs

Processes:

IntelServiceUpdate.exeHEU_A.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\IntelServiceUpdate	IntelServiceUpdate.exe
File opened for modification	C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe	HEU_A.exe
File opened for modification	C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe	IntelServiceUpdate.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

HEU_A.exeIntelServiceUpdate.exeHEU_T.exeIntelService.exe

pid process

1944 HEU_A.exe
2004 IntelServiceUpdate.exe
1588 HEU_T.exe
860 IntelService.exe

pid	process
1944	HEU_A.exe
2004	IntelServiceUpdate.exe
1588	HEU_T.exe
860	IntelService.exe

Drops file in Program Files directory 3 IoCs

Processes:

HEU_T.exeIntelService.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\IntelService\IntelService.exe	HEU_T.exe
File opened for modification	C:\Program Files (x86)\IntelService\IntelService.exe	IntelService.exe
File opened for modification	C:\Program Files (x86)\IntelService	IntelService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

856 schtasks.exe
1472 schtasks.exe
1184 schtasks.exe
1708 schtasks.exe

pid	process
856	schtasks.exe
1472	schtasks.exe
1184	schtasks.exe
1708	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

HEU_A.exeHEU_T.exeIntelServiceUpdate.exeIntelService.exe

description	pid	process
Token: SeDebugPrivilege	1944	HEU_A.exe
Token: SeDebugPrivilege	1588	HEU_T.exe
Token: SeDebugPrivilege	2004	IntelServiceUpdate.exe
Token: SeDebugPrivilege	860	IntelService.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

IntelServiceUpdate.exeIntelService.exe

pid process

2004 IntelServiceUpdate.exe
860 IntelService.exe

pid	process
2004	IntelServiceUpdate.exe
860	IntelService.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

tmp.exeWScript.execmd.exeHEU_A.exeHEU_T.exeIntelServiceUpdate.exeIntelService.exe

description	pid	process	target process
PID 1040 wrote to memory of 660	1040	tmp.exe	WScript.exe
PID 1040 wrote to memory of 660	1040	tmp.exe	WScript.exe
PID 1040 wrote to memory of 660	1040	tmp.exe	WScript.exe
PID 1040 wrote to memory of 660	1040	tmp.exe	WScript.exe
PID 660 wrote to memory of 2036	660	WScript.exe	cmd.exe
PID 660 wrote to memory of 2036	660	WScript.exe	cmd.exe
PID 660 wrote to memory of 2036	660	WScript.exe	cmd.exe
PID 660 wrote to memory of 2036	660	WScript.exe	cmd.exe
PID 660 wrote to memory of 2036	660	WScript.exe	cmd.exe
PID 660 wrote to memory of 2036	660	WScript.exe	cmd.exe
PID 660 wrote to memory of 2036	660	WScript.exe	cmd.exe
PID 2036 wrote to memory of 1944	2036	cmd.exe	HEU_A.exe
PID 2036 wrote to memory of 1944	2036	cmd.exe	HEU_A.exe
PID 2036 wrote to memory of 1944	2036	cmd.exe	HEU_A.exe
PID 2036 wrote to memory of 1944	2036	cmd.exe	HEU_A.exe
PID 1944 wrote to memory of 1472	1944	HEU_A.exe	schtasks.exe
PID 1944 wrote to memory of 1472	1944	HEU_A.exe	schtasks.exe
PID 1944 wrote to memory of 1472	1944	HEU_A.exe	schtasks.exe
PID 1944 wrote to memory of 1472	1944	HEU_A.exe	schtasks.exe
PID 1944 wrote to memory of 2004	1944	HEU_A.exe	IntelServiceUpdate.exe
PID 1944 wrote to memory of 2004	1944	HEU_A.exe	IntelServiceUpdate.exe
PID 1944 wrote to memory of 2004	1944	HEU_A.exe	IntelServiceUpdate.exe
PID 1944 wrote to memory of 2004	1944	HEU_A.exe	IntelServiceUpdate.exe
PID 1944 wrote to memory of 2004	1944	HEU_A.exe	IntelServiceUpdate.exe
PID 1944 wrote to memory of 2004	1944	HEU_A.exe	IntelServiceUpdate.exe
PID 1944 wrote to memory of 2004	1944	HEU_A.exe	IntelServiceUpdate.exe
PID 2036 wrote to memory of 1588	2036	cmd.exe	HEU_T.exe
PID 2036 wrote to memory of 1588	2036	cmd.exe	HEU_T.exe
PID 2036 wrote to memory of 1588	2036	cmd.exe	HEU_T.exe
PID 2036 wrote to memory of 1588	2036	cmd.exe	HEU_T.exe
PID 1588 wrote to memory of 1184	1588	HEU_T.exe	schtasks.exe
PID 1588 wrote to memory of 1184	1588	HEU_T.exe	schtasks.exe
PID 1588 wrote to memory of 1184	1588	HEU_T.exe	schtasks.exe
PID 1588 wrote to memory of 1184	1588	HEU_T.exe	schtasks.exe
PID 2004 wrote to memory of 1708	2004	IntelServiceUpdate.exe	schtasks.exe
PID 2004 wrote to memory of 1708	2004	IntelServiceUpdate.exe	schtasks.exe
PID 2004 wrote to memory of 1708	2004	IntelServiceUpdate.exe	schtasks.exe
PID 2004 wrote to memory of 1708	2004	IntelServiceUpdate.exe	schtasks.exe
PID 1588 wrote to memory of 860	1588	HEU_T.exe	IntelService.exe
PID 1588 wrote to memory of 860	1588	HEU_T.exe	IntelService.exe
PID 1588 wrote to memory of 860	1588	HEU_T.exe	IntelService.exe
PID 1588 wrote to memory of 860	1588	HEU_T.exe	IntelService.exe
PID 860 wrote to memory of 856	860	IntelService.exe	schtasks.exe
PID 860 wrote to memory of 856	860	IntelService.exe	schtasks.exe
PID 860 wrote to memory of 856	860	IntelService.exe	schtasks.exe
PID 860 wrote to memory of 856	860	IntelService.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\installation.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\installation.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe
HEU_A.exe
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Intel Service Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1472

C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe
"C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Intel Service Update" /sc ONLOGON /tr "C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1708

C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe
HEU_T.exe
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Intel Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1184

C:\Program Files (x86)\IntelService\IntelService.exe
"C:\Program Files (x86)\IntelService\IntelService.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Intel Service" /sc ONLOGON /tr "C:\Program Files (x86)\IntelService\IntelService.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IntelService\IntelService.exe
Filesize
3.2MB

MD5
40d62eddbff45d346db54f324aa84008

SHA1
0f40dcddb8ae4a1eedab47e7987eef133292ab91

SHA256
670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858

SHA512
2274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f

Download Submit
C:\Program Files (x86)\IntelService\IntelService.exe
Filesize
3.2MB

MD5
40d62eddbff45d346db54f324aa84008

SHA1
0f40dcddb8ae4a1eedab47e7987eef133292ab91

SHA256
670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858

SHA512
2274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f

Download Submit
C:\Program Files (x86)\IntelService\IntelService.exe
Filesize
3.2MB

MD5
40d62eddbff45d346db54f324aa84008

SHA1
0f40dcddb8ae4a1eedab47e7987eef133292ab91

SHA256
670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858

SHA512
2274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe
Filesize
3.2MB

MD5
e304134514f7d41aaf59ac7f33640ee6

SHA1
8bad53d74e0ce3b0fd45756ede792af25ce0e79a

SHA256
5aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7

SHA512
7ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe
Filesize
3.2MB

MD5
e304134514f7d41aaf59ac7f33640ee6

SHA1
8bad53d74e0ce3b0fd45756ede792af25ce0e79a

SHA256
5aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7

SHA512
7ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe
Filesize
3.2MB

MD5
40d62eddbff45d346db54f324aa84008

SHA1
0f40dcddb8ae4a1eedab47e7987eef133292ab91

SHA256
670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858

SHA512
2274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe
Filesize
3.2MB

MD5
40d62eddbff45d346db54f324aa84008

SHA1
0f40dcddb8ae4a1eedab47e7987eef133292ab91

SHA256
670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858

SHA512
2274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installation.bat
Filesize
38B

MD5
6c394f46eece6a9afe232492a2c8c2fa

SHA1
339a7e4dad0caa1c73af8c2425e64a4181ab9715

SHA256
f18ee7b9e8d4edca7b374a468ef076f5172f57bb4b26a3f5acfbe9d53e5fc201

SHA512
6a0ac3022ef4b98203badc24f2239c76012ba59704c333057dde6a29fd6db0137a9999c61c1ca086c5ff6404b2e3bbb12ddd56c17ea45871e976d44d640f3913

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installation.vbs
Filesize
75B

MD5
a1bb86ecdb375e144840f6c94ddbd20c

SHA1
7d12aca5e928a4558e417cf69f958ca5b8acd39e

SHA256
8e814c00551b5b7e811528d270a962f65980c34dd39d2b964324448c6860a797

SHA512
f95693e623afb2e5b588cdf018a53ab58fbdd8cbd015946f289edb58679b7fb4df6a0437d372a52421c69d8bbc071859b69525fe31aa570a072abd4ccb70a9da

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\03-25-2023
Filesize
224B

MD5
d2199c6a0de92e520bc2a88a6ffbe7f3

SHA1
6e1439ec6d1289e43c372f939af1406c20c289f8

SHA256
6828a23c03674adbe8397450b3d7884b1f59dd20952ac327828d7e64ce17c8c6

SHA512
0e7bb12576296c67a20874aef8356fa1f13fe142aa8a83d2eb4f2fe1ad038e2281d689c96ecc38859de9b30efe06b3966f86ba071b0c0d280ea2f0215661c50c

Download Submit
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe
Filesize
3.2MB

MD5
e304134514f7d41aaf59ac7f33640ee6

SHA1
8bad53d74e0ce3b0fd45756ede792af25ce0e79a

SHA256
5aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7

SHA512
7ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9

Download Submit
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe
Filesize
3.2MB

MD5
e304134514f7d41aaf59ac7f33640ee6

SHA1
8bad53d74e0ce3b0fd45756ede792af25ce0e79a

SHA256
5aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7

SHA512
7ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9

Download Submit
C:\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe
Filesize
3.2MB

MD5
e304134514f7d41aaf59ac7f33640ee6

SHA1
8bad53d74e0ce3b0fd45756ede792af25ce0e79a

SHA256
5aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7

SHA512
7ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9

Download Submit
\Program Files (x86)\IntelService\IntelService.exe
Filesize
3.2MB

MD5
40d62eddbff45d346db54f324aa84008

SHA1
0f40dcddb8ae4a1eedab47e7987eef133292ab91

SHA256
670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858

SHA512
2274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_A.exe
Filesize
3.2MB

MD5
e304134514f7d41aaf59ac7f33640ee6

SHA1
8bad53d74e0ce3b0fd45756ede792af25ce0e79a

SHA256
5aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7

SHA512
7ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\HEU_T.exe
Filesize
3.2MB

MD5
40d62eddbff45d346db54f324aa84008

SHA1
0f40dcddb8ae4a1eedab47e7987eef133292ab91

SHA256
670e5d43cf31f19bda2ff0355456fbb657472402482e85202dc8a4f338d46858

SHA512
2274bde25d39170ad2e497ffd48d05397934588a413d60bbdde4fdda96226db5c7aa8b048312f1cab5758c4e4b5733ecc3001b9b777a9821d683a896495c627f

Download Submit
\Windows\SysWOW64\IntelServiceUpdate\IntelServiceUpdate.exe
Filesize
3.2MB

MD5
e304134514f7d41aaf59ac7f33640ee6

SHA1
8bad53d74e0ce3b0fd45756ede792af25ce0e79a

SHA256
5aa4f078387db3d4909494600d8797355da8edd93047039119dd3fb71abf66e7

SHA512
7ad484d2cc195ff6850ebe564c1f7076b66e308b090d53b0ae24873f9986cc642ed648e416281077dbc5bb5d3a987102a5a958dbffeba85d058650f70612fcc9

Download Submit
memory/860-126-0x0000000000C10000-0x000000000149C000-memory.dmp

Filesize
8.5MB

Download
memory/860-117-0x0000000000C10000-0x000000000149C000-memory.dmp

Filesize
8.5MB

Download
memory/860-116-0x0000000000C10000-0x000000000149C000-memory.dmp

Filesize
8.5MB

Download
memory/860-112-0x0000000000C10000-0x000000000149C000-memory.dmp

Filesize
8.5MB

Download
memory/1588-89-0x0000000000990000-0x000000000121C000-memory.dmp

Filesize
8.5MB

Download
memory/1588-96-0x0000000000990000-0x000000000121C000-memory.dmp

Filesize
8.5MB

Download
memory/1588-97-0x0000000000990000-0x000000000121C000-memory.dmp

Filesize
8.5MB

Download
memory/1588-100-0x00000000055A0000-0x00000000055E0000-memory.dmp

Filesize
256KB

Download
memory/1588-109-0x0000000000990000-0x000000000121C000-memory.dmp

Filesize
8.5MB

Download
memory/1944-75-0x0000000005430000-0x0000000005470000-memory.dmp

Filesize
256KB

Download
memory/1944-83-0x0000000000040000-0x00000000008CA000-memory.dmp

Filesize
8.5MB

Download
memory/1944-74-0x0000000000040000-0x00000000008CA000-memory.dmp

Filesize
8.5MB

Download
memory/1944-73-0x0000000000040000-0x00000000008CA000-memory.dmp

Filesize
8.5MB

Download
memory/1944-72-0x0000000000040000-0x00000000008CA000-memory.dmp

Filesize
8.5MB

Download
memory/2004-101-0x0000000005350000-0x0000000005390000-memory.dmp

Filesize
256KB

Download
memory/2004-99-0x0000000000D80000-0x000000000160A000-memory.dmp

Filesize
8.5MB

Download
memory/2004-98-0x0000000000D80000-0x000000000160A000-memory.dmp

Filesize
8.5MB

Download
memory/2004-123-0x0000000000D80000-0x000000000160A000-memory.dmp

Filesize
8.5MB

Download
memory/2004-124-0x0000000005350000-0x0000000005390000-memory.dmp

Filesize
256KB

Download
memory/2004-91-0x0000000000D80000-0x000000000160A000-memory.dmp

Filesize
8.5MB

Download
memory/2036-87-0x0000000001D60000-0x00000000025EC000-memory.dmp

Filesize
8.5MB

Download