4f27a3fe51d0494d18648a7279b2a368f86288148b7c1044d4d24ae7e4dfcca1

Analysis

max time kernel
117s
max time network
125s
platform
windows7_x64
resource
win7-en-20210920
submitted
21-10-2021 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

748984d40e7ab68b0a130a620b550a3d.exe
Size

5.9MB
MD5

748984d40e7ab68b0a130a620b550a3d
SHA1

ac800bb6aaf3172d3d0170300f8ba3dc03304b60
SHA256

4f27a3fe51d0494d18648a7279b2a368f86288148b7c1044d4d24ae7e4dfcca1
SHA512

af6fc23b6ec54e36a150f824060b3b14fbc39c0dd88023bda5891a99d79e6aa81a8300fc053b3f8c004d25399b61e5012898a636b6d3e5e8f695d49df8f93f5c

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 5 IoCs

Processes:

WScript.exe

flow pid process

20 1804 WScript.exe
22 1804 WScript.exe
24 1804 WScript.exe
26 1804 WScript.exe
28 1804 WScript.exe
Executes dropped EXE 3 IoCs

Processes:

undirk.exeyoicksvp.exeIntelRapid.exe

pid process

1396 undirk.exe
1728 yoicksvp.exe
1668 IntelRapid.exe

flow	pid	process
20	1804	WScript.exe
22	1804	WScript.exe
24	1804	WScript.exe
26	1804	WScript.exe
28	1804	WScript.exe

pid	process
1396	undirk.exe
1728	yoicksvp.exe
1668	IntelRapid.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

yoicksvp.exeIntelRapid.exeundirk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	yoicksvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	undirk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	undirk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	yoicksvp.exe

Drops startup file 1 IoCs

Processes:

undirk.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk undirk.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	undirk.exe

Loads dropped DLL 9 IoCs

Processes:

748984d40e7ab68b0a130a620b550a3d.exeyoicksvp.exeundirk.exe

pid	process
332	748984d40e7ab68b0a130a620b550a3d.exe
332	748984d40e7ab68b0a130a620b550a3d.exe
332	748984d40e7ab68b0a130a620b550a3d.exe
332	748984d40e7ab68b0a130a620b550a3d.exe
1728	yoicksvp.exe
1728	yoicksvp.exe
1396	undirk.exe
1396	undirk.exe
1396	undirk.exe

Themida packer 23 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\lizard\undirk.exe	themida
\Users\Admin\AppData\Local\Temp\lizard\undirk.exe	themida
C:\Users\Admin\AppData\Local\Temp\lizard\undirk.exe	themida
\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe	themida
behavioral1/memory/1396-64-0x000000013FF30000-0x000000014084A000-memory.dmp	themida
\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe	themida
\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe	themida
behavioral1/memory/1396-68-0x000000013FF30000-0x000000014084A000-memory.dmp	themida
behavioral1/memory/1396-69-0x000000013FF30000-0x000000014084A000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\lizard\undirk.exe	themida
behavioral1/memory/1728-72-0x0000000000270000-0x00000000008DC000-memory.dmp	themida
behavioral1/memory/1728-73-0x0000000000270000-0x00000000008DC000-memory.dmp	themida
behavioral1/memory/1728-74-0x0000000000270000-0x00000000008DC000-memory.dmp	themida
behavioral1/memory/1728-75-0x0000000000270000-0x00000000008DC000-memory.dmp	themida
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral1/memory/1668-81-0x000000013FC70000-0x000000014058A000-memory.dmp	themida
behavioral1/memory/1668-82-0x000000013FC70000-0x000000014058A000-memory.dmp	themida
behavioral1/memory/1668-83-0x000000013FC70000-0x000000014058A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

undirk.exeyoicksvp.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	undirk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yoicksvp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

undirk.exeyoicksvp.exeIntelRapid.exe

pid process

1396 undirk.exe
1728 yoicksvp.exe
1668 IntelRapid.exe

flow	ioc
4	ip-api.com

pid	process
1396	undirk.exe
1728	yoicksvp.exe
1668	IntelRapid.exe

Drops file in Program Files directory 3 IoCs

Processes:

748984d40e7ab68b0a130a620b550a3d.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	748984d40e7ab68b0a130a620b550a3d.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	748984d40e7ab68b0a130a620b550a3d.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	748984d40e7ab68b0a130a620b550a3d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

yoicksvp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	yoicksvp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	yoicksvp.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

1668 IntelRapid.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

yoicksvp.exe

pid process

1728 yoicksvp.exe

pid	process
1668	IntelRapid.exe

pid	process
1728	yoicksvp.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

748984d40e7ab68b0a130a620b550a3d.exeundirk.exeyoicksvp.exe

description	pid	process	target process
PID 332 wrote to memory of 1396	332	748984d40e7ab68b0a130a620b550a3d.exe	undirk.exe
PID 332 wrote to memory of 1396	332	748984d40e7ab68b0a130a620b550a3d.exe	undirk.exe
PID 332 wrote to memory of 1396	332	748984d40e7ab68b0a130a620b550a3d.exe	undirk.exe
PID 332 wrote to memory of 1396	332	748984d40e7ab68b0a130a620b550a3d.exe	undirk.exe
PID 332 wrote to memory of 1728	332	748984d40e7ab68b0a130a620b550a3d.exe	yoicksvp.exe
PID 332 wrote to memory of 1728	332	748984d40e7ab68b0a130a620b550a3d.exe	yoicksvp.exe
PID 332 wrote to memory of 1728	332	748984d40e7ab68b0a130a620b550a3d.exe	yoicksvp.exe
PID 332 wrote to memory of 1728	332	748984d40e7ab68b0a130a620b550a3d.exe	yoicksvp.exe
PID 332 wrote to memory of 1728	332	748984d40e7ab68b0a130a620b550a3d.exe	yoicksvp.exe
PID 332 wrote to memory of 1728	332	748984d40e7ab68b0a130a620b550a3d.exe	yoicksvp.exe
PID 332 wrote to memory of 1728	332	748984d40e7ab68b0a130a620b550a3d.exe	yoicksvp.exe
PID 1396 wrote to memory of 1668	1396	undirk.exe	IntelRapid.exe
PID 1396 wrote to memory of 1668	1396	undirk.exe	IntelRapid.exe
PID 1396 wrote to memory of 1668	1396	undirk.exe	IntelRapid.exe
PID 1728 wrote to memory of 1996	1728	yoicksvp.exe	WScript.exe
PID 1728 wrote to memory of 1996	1728	yoicksvp.exe	WScript.exe
PID 1728 wrote to memory of 1996	1728	yoicksvp.exe	WScript.exe
PID 1728 wrote to memory of 1996	1728	yoicksvp.exe	WScript.exe
PID 1728 wrote to memory of 1996	1728	yoicksvp.exe	WScript.exe
PID 1728 wrote to memory of 1996	1728	yoicksvp.exe	WScript.exe
PID 1728 wrote to memory of 1996	1728	yoicksvp.exe	WScript.exe
PID 1728 wrote to memory of 1804	1728	yoicksvp.exe	WScript.exe
PID 1728 wrote to memory of 1804	1728	yoicksvp.exe	WScript.exe
PID 1728 wrote to memory of 1804	1728	yoicksvp.exe	WScript.exe
PID 1728 wrote to memory of 1804	1728	yoicksvp.exe	WScript.exe
PID 1728 wrote to memory of 1804	1728	yoicksvp.exe	WScript.exe
PID 1728 wrote to memory of 1804	1728	yoicksvp.exe	WScript.exe
PID 1728 wrote to memory of 1804	1728	yoicksvp.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\748984d40e7ab68b0a130a620b550a3d.exe
"C:\Users\Admin\AppData\Local\Temp\748984d40e7ab68b0a130a620b550a3d.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Local\Temp\lizard\undirk.exe
"C:\Users\Admin\AppData\Local\Temp\lizard\undirk.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
PID:1668

C:\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe
"C:\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ljbftlmq.vbs"
3⤵
PID:1996

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\qrfineiwlywg.vbs"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:1804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
671d0053972ae504a8ad7b8f559bdd46

SHA1
c7ec1cbe82ead990a4ba1349f52d5a777a2dac6b

SHA256
978b1fb21353d2b215a5c03f103794f2309ffc09e4f381974a217c4980ce19fc

SHA512
bd1a85057b471938fcf62eb5e79c49153105fd155b361df82bd75c39e98e44365058091e2c105380729ab3e6d3865c5b152a5f9f3c14c2760ff91c9d26976b75

Download Submit
C:\Users\Admin\AppData\Local\Temp\lizard\undirk.exe
MD5
dee7f81724e172738ba8942a2c56c9d0

SHA1
debcc55ada38e5252a985dd205749bec5cc423cb

SHA256
783c54026f897bbb1f1efcb9da71102ad0a278d3b2ee5bbd6d8a8a8961489890

SHA512
e7bd7da4798e659db85f35cb17246c56f1a801323958f3af59c70efb9deb38b70ce0bf4e6f754e906c3ae736ffc670c8f724e6eb1c9f2e7f972cce541ce4d453

Download Submit
C:\Users\Admin\AppData\Local\Temp\lizard\undirk.exe
MD5
dee7f81724e172738ba8942a2c56c9d0

SHA1
debcc55ada38e5252a985dd205749bec5cc423cb

SHA256
783c54026f897bbb1f1efcb9da71102ad0a278d3b2ee5bbd6d8a8a8961489890

SHA512
e7bd7da4798e659db85f35cb17246c56f1a801323958f3af59c70efb9deb38b70ce0bf4e6f754e906c3ae736ffc670c8f724e6eb1c9f2e7f972cce541ce4d453

Download Submit
C:\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe
MD5
5f1ed0072d716d250b0eaf6982cdc03b

SHA1
62b3ede1369d53017bad62ddda5072817be5ae42

SHA256
b182a54926df679c8c8598095a8acb09a8c9d7165e3dd700d92c65a751151a02

SHA512
e6a3977c9674f12eb5752d6ff1caa1ee028a3b448bf2d91eb18309a5640e27b542e10acad33808d7065bb2c1a357a3d64e4a077b4321885e994bccf662a5671e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe
MD5
5f1ed0072d716d250b0eaf6982cdc03b

SHA1
62b3ede1369d53017bad62ddda5072817be5ae42

SHA256
b182a54926df679c8c8598095a8acb09a8c9d7165e3dd700d92c65a751151a02

SHA512
e6a3977c9674f12eb5752d6ff1caa1ee028a3b448bf2d91eb18309a5640e27b542e10acad33808d7065bb2c1a357a3d64e4a077b4321885e994bccf662a5671e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljbftlmq.vbs
MD5
218af87e1ba07d88f8cf66fc4a6443de

SHA1
96f734f4bfa1564fa4316358287014feb652bf26

SHA256
e61a6f719307a1e25fd962446a7d18056001e1b43d2ae4ff3e7f270ba31eab20

SHA512
99855397963fa2fdf1eb13dbcc96bab9235fb0a3e8e1b3aa1d1a266052900fdcef73f55f208206c561dda449ec49c19a1b185b868c1fec31f09b85471e710cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\qrfineiwlywg.vbs
MD5
6802328851ee66f991335c946f761425

SHA1
26f7371f2cf20ef578d9982e33856c37783804c4

SHA256
f5fad0e4984e8e8acc2297db51b410c683e5fe247bc770cc975e43b5cb55cc96

SHA512
ff98b23f7345cb2e9dc55d7a05d5a96084aa7dcfc67f4821905172b48f8e7ce566c757b142d38085468443826848b646db45aaaecae82609156803097793bad7

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
dee7f81724e172738ba8942a2c56c9d0

SHA1
debcc55ada38e5252a985dd205749bec5cc423cb

SHA256
783c54026f897bbb1f1efcb9da71102ad0a278d3b2ee5bbd6d8a8a8961489890

SHA512
e7bd7da4798e659db85f35cb17246c56f1a801323958f3af59c70efb9deb38b70ce0bf4e6f754e906c3ae736ffc670c8f724e6eb1c9f2e7f972cce541ce4d453

Download Submit
\Users\Admin\AppData\Local\Temp\lizard\undirk.exe
MD5
dee7f81724e172738ba8942a2c56c9d0

SHA1
debcc55ada38e5252a985dd205749bec5cc423cb

SHA256
783c54026f897bbb1f1efcb9da71102ad0a278d3b2ee5bbd6d8a8a8961489890

SHA512
e7bd7da4798e659db85f35cb17246c56f1a801323958f3af59c70efb9deb38b70ce0bf4e6f754e906c3ae736ffc670c8f724e6eb1c9f2e7f972cce541ce4d453

Download Submit
\Users\Admin\AppData\Local\Temp\lizard\undirk.exe
MD5
dee7f81724e172738ba8942a2c56c9d0

SHA1
debcc55ada38e5252a985dd205749bec5cc423cb

SHA256
783c54026f897bbb1f1efcb9da71102ad0a278d3b2ee5bbd6d8a8a8961489890

SHA512
e7bd7da4798e659db85f35cb17246c56f1a801323958f3af59c70efb9deb38b70ce0bf4e6f754e906c3ae736ffc670c8f724e6eb1c9f2e7f972cce541ce4d453

Download Submit
\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe
MD5
5f1ed0072d716d250b0eaf6982cdc03b

SHA1
62b3ede1369d53017bad62ddda5072817be5ae42

SHA256
b182a54926df679c8c8598095a8acb09a8c9d7165e3dd700d92c65a751151a02

SHA512
e6a3977c9674f12eb5752d6ff1caa1ee028a3b448bf2d91eb18309a5640e27b542e10acad33808d7065bb2c1a357a3d64e4a077b4321885e994bccf662a5671e

Download Submit
\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe
MD5
5f1ed0072d716d250b0eaf6982cdc03b

SHA1
62b3ede1369d53017bad62ddda5072817be5ae42

SHA256
b182a54926df679c8c8598095a8acb09a8c9d7165e3dd700d92c65a751151a02

SHA512
e6a3977c9674f12eb5752d6ff1caa1ee028a3b448bf2d91eb18309a5640e27b542e10acad33808d7065bb2c1a357a3d64e4a077b4321885e994bccf662a5671e

Download Submit
\Users\Admin\AppData\Local\Temp\lizard\yoicksvp.exe
MD5
5f1ed0072d716d250b0eaf6982cdc03b

SHA1
62b3ede1369d53017bad62ddda5072817be5ae42

SHA256
b182a54926df679c8c8598095a8acb09a8c9d7165e3dd700d92c65a751151a02

SHA512
e6a3977c9674f12eb5752d6ff1caa1ee028a3b448bf2d91eb18309a5640e27b542e10acad33808d7065bb2c1a357a3d64e4a077b4321885e994bccf662a5671e

Download Submit
\Users\Admin\AppData\Local\Temp\nsiE58F.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
dee7f81724e172738ba8942a2c56c9d0

SHA1
debcc55ada38e5252a985dd205749bec5cc423cb

SHA256
783c54026f897bbb1f1efcb9da71102ad0a278d3b2ee5bbd6d8a8a8961489890

SHA512
e7bd7da4798e659db85f35cb17246c56f1a801323958f3af59c70efb9deb38b70ce0bf4e6f754e906c3ae736ffc670c8f724e6eb1c9f2e7f972cce541ce4d453

Download Submit
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
dee7f81724e172738ba8942a2c56c9d0

SHA1
debcc55ada38e5252a985dd205749bec5cc423cb

SHA256
783c54026f897bbb1f1efcb9da71102ad0a278d3b2ee5bbd6d8a8a8961489890

SHA512
e7bd7da4798e659db85f35cb17246c56f1a801323958f3af59c70efb9deb38b70ce0bf4e6f754e906c3ae736ffc670c8f724e6eb1c9f2e7f972cce541ce4d453

Download Submit
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
dee7f81724e172738ba8942a2c56c9d0

SHA1
debcc55ada38e5252a985dd205749bec5cc423cb

SHA256
783c54026f897bbb1f1efcb9da71102ad0a278d3b2ee5bbd6d8a8a8961489890

SHA512
e7bd7da4798e659db85f35cb17246c56f1a801323958f3af59c70efb9deb38b70ce0bf4e6f754e906c3ae736ffc670c8f724e6eb1c9f2e7f972cce541ce4d453

Download Submit
memory/332-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1396-69-0x000000013FF30000-0x000000014084A000-memory.dmp

Filesize
9.1MB

Download
memory/1396-71-0x000007FEFBF91000-0x000007FEFBF93000-memory.dmp

Filesize
8KB

Download
memory/1396-58-0x0000000000000000-mapping.dmp

Download
memory/1396-64-0x000000013FF30000-0x000000014084A000-memory.dmp

Filesize
9.1MB

Download
memory/1396-68-0x000000013FF30000-0x000000014084A000-memory.dmp

Filesize
9.1MB

Download
memory/1668-83-0x000000013FC70000-0x000000014058A000-memory.dmp

Filesize
9.1MB

Download
memory/1668-79-0x0000000000000000-mapping.dmp

Download
memory/1668-81-0x000000013FC70000-0x000000014058A000-memory.dmp

Filesize
9.1MB

Download
memory/1668-82-0x000000013FC70000-0x000000014058A000-memory.dmp

Filesize
9.1MB

Download
memory/1728-74-0x0000000000270000-0x00000000008DC000-memory.dmp

Filesize
6.4MB

Download
memory/1728-72-0x0000000000270000-0x00000000008DC000-memory.dmp

Filesize
6.4MB

Download
memory/1728-73-0x0000000000270000-0x00000000008DC000-memory.dmp

Filesize
6.4MB

Download
memory/1728-61-0x0000000000000000-mapping.dmp

Download
memory/1728-75-0x0000000000270000-0x00000000008DC000-memory.dmp

Filesize
6.4MB

Download
memory/1804-87-0x0000000000000000-mapping.dmp

Download
memory/1996-84-0x0000000000000000-mapping.dmp

Download