Malware Analysis Report

2024-08-06 13:12

Sample ID 240618-1kw5xa1gkk
Target IntelDriver.zip
SHA256 8b88622a5746ff92c72ef22b4260d5d9d70678363617957166cd5ee065a54587
Tags
asyncrat quasar spexe rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b88622a5746ff92c72ef22b4260d5d9d70678363617957166cd5ee065a54587

Threat Level: Known bad

The file IntelDriver.zip was found to be: Known bad.

Malicious Activity Summary

asyncrat quasar spexe rat spyware stealer trojan

AsyncRat

Suspicious use of NtCreateUserProcessOtherParentProcess

Quasar payload

Quasar RAT

Reads user/profile data of web browsers

Executes dropped EXE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-18 21:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 21:43

Reported

2024-06-18 21:45

Platform

win11-20240611-en

Max time kernel

136s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

AsyncRat

rat asyncrat

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2684 created 3348 N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe C:\Windows\Explorer.EXE
PID 2684 created 3348 N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe C:\Windows\Explorer.EXE

Reads user/profile data of web browsers

spyware stealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 5600310000000000cb582dab12004170704461746100400009000400efbecb582dabd2586cad2e0000005c5702000000010000000000000000000000000000005162c0004100700070004400610074006100000016000000 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0 = 5e00310000000000d2586cad10003332323237347e310000460009000400efbecb58d6b0d2586cad2e0000007b5e020000001f000000000000000000000000000000bef80a013300320032003200370034003600330032003500000018000000 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\NodeSlot = "2" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0\NodeSlot = "3" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 7800310000000000cb582dab1100557365727300640009000400efbec5522d60d2586cad2e0000006c0500000000010000000000000000003a00000000003a4ecc0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 5000310000000000cb5891b0100041646d696e003c0009000400efbecb582dabd2586cad2e0000005157020000000100000000000000000000000000000059f60d00410064006d0069006e00000014000000 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\0 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0 = 4e00310000000000d2586cad100054656d7000003a0009000400efbecb582dabd2586cad2e0000007157020000000100000000000000000000000000000055932801540065006d007000000014000000 C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2684 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2684 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2684 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2684 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2684 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2684 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2684 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2684 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2684 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\Intel.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Intel.exe

"C:\Users\Admin\AppData\Local\Temp\Intel.exe"

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 TwAYAiuCHTKuwbsXcIG.TwAYAiuCHTKuwbsXcIG udp
IT 188.218.201.175:4781 ethers.securitytactics.com tcp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
IE 52.111.236.23:443 tcp
IT 188.218.201.175:6606 ethers.securitytactics.com tcp
IT 188.218.201.175:6606 ethers.securitytactics.com tcp
IT 188.218.201.175:6606 ethers.securitytactics.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 cc474f328c7743aa4598460bae06c6f6
SHA1 0a1bc1534f53600669738aedaabf92772f1faa8e
SHA256 106e2a8aec59ec64a650aa7c8bcb40cd5b807e0449d474f5fffc94c1612020ec
SHA512 02521af5b36c9fbf1f6d15fe7083b0a505875931cf0bd5e66d98f8cc8ad93f94c58f051c0752d28f1ce753fe4d18ac4f152f04226f91595620bce8ffaa8c3908

memory/2684-9-0x0000000077C31000-0x0000000077D53000-memory.dmp

memory/2684-11-0x0000000000C60000-0x0000000000C61000-memory.dmp

memory/1004-13-0x0000000000C30000-0x0000000000F54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 42ab6e035df99a43dbb879c86b620b91
SHA1 c6e116569d17d8142dbb217b1f8bfa95bc148c38
SHA256 53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b
SHA512 2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5

memory/1004-16-0x000000007208E000-0x000000007208F000-memory.dmp

memory/1004-17-0x0000000005B90000-0x0000000006136000-memory.dmp

memory/1004-18-0x00000000056D0000-0x0000000005762000-memory.dmp

memory/1004-19-0x00000000056C0000-0x00000000056D0000-memory.dmp

memory/1004-20-0x0000000005690000-0x000000000569A000-memory.dmp

memory/1004-21-0x0000000006760000-0x0000000006D78000-memory.dmp

memory/1004-22-0x0000000006270000-0x00000000062C0000-memory.dmp

memory/1004-23-0x00000000064E0000-0x0000000006592000-memory.dmp

memory/1004-26-0x0000000007870000-0x0000000007882000-memory.dmp

memory/1004-27-0x00000000078D0000-0x000000000790C000-memory.dmp

memory/1004-28-0x0000000007980000-0x00000000079E6000-memory.dmp

memory/1004-31-0x00000000085D0000-0x0000000008AFC000-memory.dmp

memory/1004-33-0x000000007208E000-0x000000007208F000-memory.dmp

memory/1004-34-0x00000000056C0000-0x00000000056D0000-memory.dmp

memory/3532-35-0x0000000000FD0000-0x0000000000FE6000-memory.dmp

memory/3532-39-0x00000000068B0000-0x000000000694C000-memory.dmp

memory/3532-40-0x0000000002FD0000-0x0000000003046000-memory.dmp

memory/3532-41-0x0000000002F50000-0x0000000002F5E000-memory.dmp

memory/3532-42-0x0000000002FB0000-0x0000000002FCE000-memory.dmp