c45d421ef1cd52ccc0dfa8bbacd093af7fdca76d402c7d773e97a5b1f0c8522a

Analysis

max time kernel
118s
max time network
149s
platform
windows7_x64
resource
win7-en-20210920
submitted
22-10-2021 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4708d7597f8efc46d22031ffc794047a.exe
Size

6.0MB
MD5

4708d7597f8efc46d22031ffc794047a
SHA1

028dd45e2fb27d82f53c14f1dc9abfa3573b8c15
SHA256

c45d421ef1cd52ccc0dfa8bbacd093af7fdca76d402c7d773e97a5b1f0c8522a
SHA512

2e435473f8874a6544044ca3ad6f939e80d87bdbb4dd42427b2c111024dbd8132021044565416cac0d27b8e5f7460bf8f696bfb1c7b04fbff20ef33ff386e4ba

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Blocklisted process makes network request 5 IoCs

Processes:

WScript.exe

flow pid process

20 944 WScript.exe
21 944 WScript.exe
23 944 WScript.exe
25 944 WScript.exe
27 944 WScript.exe
Executes dropped EXE 3 IoCs

Processes:

remedy.exesimityvp.exeIntelRapid.exe

pid process

576 remedy.exe
1124 simityvp.exe
852 IntelRapid.exe

flow	pid	process
20	944	WScript.exe
21	944	WScript.exe
23	944	WScript.exe
25	944	WScript.exe
27	944	WScript.exe

pid	process
576	remedy.exe
1124	simityvp.exe
852	IntelRapid.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

simityvp.exeremedy.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	simityvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	remedy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	remedy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	simityvp.exe

Drops startup file 1 IoCs

Processes:

remedy.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk remedy.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	remedy.exe

Loads dropped DLL 9 IoCs

Processes:

4708d7597f8efc46d22031ffc794047a.exesimityvp.exeremedy.exe

pid	process
580	4708d7597f8efc46d22031ffc794047a.exe
580	4708d7597f8efc46d22031ffc794047a.exe
580	4708d7597f8efc46d22031ffc794047a.exe
580	4708d7597f8efc46d22031ffc794047a.exe
1124	simityvp.exe
1124	simityvp.exe
576	remedy.exe
576	remedy.exe
576	remedy.exe

Themida packer 23 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\lizard\remedy.exe	themida
\Users\Admin\AppData\Local\Temp\lizard\remedy.exe	themida
C:\Users\Admin\AppData\Local\Temp\lizard\remedy.exe	themida
\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe	themida
\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe	themida
\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe	themida
C:\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe	themida
behavioral1/memory/1124-67-0x0000000000CE0000-0x00000000013A9000-memory.dmp	themida
behavioral1/memory/1124-68-0x0000000000CE0000-0x00000000013A9000-memory.dmp	themida
behavioral1/memory/1124-69-0x0000000000CE0000-0x00000000013A9000-memory.dmp	themida
behavioral1/memory/1124-70-0x0000000000CE0000-0x00000000013A9000-memory.dmp	themida
behavioral1/memory/576-71-0x000000013FCE0000-0x00000001405F8000-memory.dmp	themida
behavioral1/memory/576-72-0x000000013FCE0000-0x00000001405F8000-memory.dmp	themida
behavioral1/memory/576-73-0x000000013FCE0000-0x00000001405F8000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\lizard\remedy.exe	themida
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral1/memory/852-81-0x000000013F690000-0x000000013FFA8000-memory.dmp	themida
behavioral1/memory/852-82-0x000000013F690000-0x000000013FFA8000-memory.dmp	themida
behavioral1/memory/852-83-0x000000013F690000-0x000000013FFA8000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

remedy.exeIntelRapid.exesimityvp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	remedy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	simityvp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

simityvp.exeremedy.exeIntelRapid.exe

pid process

1124 simityvp.exe
576 remedy.exe
852 IntelRapid.exe

flow	ioc
4	ip-api.com

pid	process
1124	simityvp.exe
576	remedy.exe
852	IntelRapid.exe

Drops file in Program Files directory 3 IoCs

Processes:

4708d7597f8efc46d22031ffc794047a.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	4708d7597f8efc46d22031ffc794047a.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	4708d7597f8efc46d22031ffc794047a.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	4708d7597f8efc46d22031ffc794047a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

simityvp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	simityvp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	simityvp.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

852 IntelRapid.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

simityvp.exe

pid process

1124 simityvp.exe

pid	process
852	IntelRapid.exe

pid	process
1124	simityvp.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

4708d7597f8efc46d22031ffc794047a.exeremedy.exesimityvp.exe

description	pid	process	target process
PID 580 wrote to memory of 576	580	4708d7597f8efc46d22031ffc794047a.exe	remedy.exe
PID 580 wrote to memory of 576	580	4708d7597f8efc46d22031ffc794047a.exe	remedy.exe
PID 580 wrote to memory of 576	580	4708d7597f8efc46d22031ffc794047a.exe	remedy.exe
PID 580 wrote to memory of 576	580	4708d7597f8efc46d22031ffc794047a.exe	remedy.exe
PID 580 wrote to memory of 1124	580	4708d7597f8efc46d22031ffc794047a.exe	simityvp.exe
PID 580 wrote to memory of 1124	580	4708d7597f8efc46d22031ffc794047a.exe	simityvp.exe
PID 580 wrote to memory of 1124	580	4708d7597f8efc46d22031ffc794047a.exe	simityvp.exe
PID 580 wrote to memory of 1124	580	4708d7597f8efc46d22031ffc794047a.exe	simityvp.exe
PID 580 wrote to memory of 1124	580	4708d7597f8efc46d22031ffc794047a.exe	simityvp.exe
PID 580 wrote to memory of 1124	580	4708d7597f8efc46d22031ffc794047a.exe	simityvp.exe
PID 580 wrote to memory of 1124	580	4708d7597f8efc46d22031ffc794047a.exe	simityvp.exe
PID 576 wrote to memory of 852	576	remedy.exe	IntelRapid.exe
PID 576 wrote to memory of 852	576	remedy.exe	IntelRapid.exe
PID 576 wrote to memory of 852	576	remedy.exe	IntelRapid.exe
PID 1124 wrote to memory of 1968	1124	simityvp.exe	WScript.exe
PID 1124 wrote to memory of 1968	1124	simityvp.exe	WScript.exe
PID 1124 wrote to memory of 1968	1124	simityvp.exe	WScript.exe
PID 1124 wrote to memory of 1968	1124	simityvp.exe	WScript.exe
PID 1124 wrote to memory of 1968	1124	simityvp.exe	WScript.exe
PID 1124 wrote to memory of 1968	1124	simityvp.exe	WScript.exe
PID 1124 wrote to memory of 1968	1124	simityvp.exe	WScript.exe
PID 1124 wrote to memory of 944	1124	simityvp.exe	WScript.exe
PID 1124 wrote to memory of 944	1124	simityvp.exe	WScript.exe
PID 1124 wrote to memory of 944	1124	simityvp.exe	WScript.exe
PID 1124 wrote to memory of 944	1124	simityvp.exe	WScript.exe
PID 1124 wrote to memory of 944	1124	simityvp.exe	WScript.exe
PID 1124 wrote to memory of 944	1124	simityvp.exe	WScript.exe
PID 1124 wrote to memory of 944	1124	simityvp.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\4708d7597f8efc46d22031ffc794047a.exe
"C:\Users\Admin\AppData\Local\Temp\4708d7597f8efc46d22031ffc794047a.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:580

C:\Users\Admin\AppData\Local\Temp\lizard\remedy.exe
"C:\Users\Admin\AppData\Local\Temp\lizard\remedy.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:576

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
PID:852

C:\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe
"C:\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ljqriimqmfu.vbs"
3⤵
PID:1968

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ltfkqdfpj.vbs"
3⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
2001aaa3f2e5bf8f18b122d70905eb16

SHA1
3773cbcbc740ee458c25d4e7df4aa417b4641330

SHA256
e18a063f48a521ed5f3b11c607a13b059197ea0a4975d74c755b0e4ed07691fb

SHA512
4b23b1050bbc2a3c785eedfa72325e4b9d0597987623a58be5e7b0055ee4cf969f6ee28054b1caee1df21aa9fbe3af4fad236f48803b7fdc755098cebb6fb809

Download Submit
C:\Users\Admin\AppData\Local\Temp\lizard\remedy.exe
MD5
a549bfe1170323076f438b7199bd39da

SHA1
fb893bcde83c6a8544276f464f03ec762cd3ca0a

SHA256
10a7145031d494fa4b85a71bf01ada3362ce77cd94dc8f6bd7c0afcf7797aac8

SHA512
469a623678fe783cac684b61431b8694f88cb23cf048df3e2d3e0f7955f92f79dcc58de03788d7a34c6ec7e9511c0902f72e8484ccf2834bb4275d362d81ceda

Download Submit
C:\Users\Admin\AppData\Local\Temp\lizard\remedy.exe
MD5
a549bfe1170323076f438b7199bd39da

SHA1
fb893bcde83c6a8544276f464f03ec762cd3ca0a

SHA256
10a7145031d494fa4b85a71bf01ada3362ce77cd94dc8f6bd7c0afcf7797aac8

SHA512
469a623678fe783cac684b61431b8694f88cb23cf048df3e2d3e0f7955f92f79dcc58de03788d7a34c6ec7e9511c0902f72e8484ccf2834bb4275d362d81ceda

Download Submit
C:\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe
MD5
7acd70f3dfdcd33dbe40603e939fcb79

SHA1
d7f63d7b0a37b3d78d13e8ea783e0aba6507aa20

SHA256
069539fb82534ac72239b2f35f4711cd4ac828d26ab29e159c1082f725b9999d

SHA512
4ef930ac69b82f078084212d6e57ea0522568452aca5e35de3a0b85a99a9dae6209fcd394582ea64ac8d45e9708dffefada5d267254332bfa62da780d968cefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe
MD5
7acd70f3dfdcd33dbe40603e939fcb79

SHA1
d7f63d7b0a37b3d78d13e8ea783e0aba6507aa20

SHA256
069539fb82534ac72239b2f35f4711cd4ac828d26ab29e159c1082f725b9999d

SHA512
4ef930ac69b82f078084212d6e57ea0522568452aca5e35de3a0b85a99a9dae6209fcd394582ea64ac8d45e9708dffefada5d267254332bfa62da780d968cefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ljqriimqmfu.vbs
MD5
b91ae9731e85b6a445097aff372c622a

SHA1
2f5e94ae42083db9f12910931305ee83313d37a3

SHA256
19c60531efa9f36004c842085e5542acbee78e8db31116421606a65da63b3f57

SHA512
1965d14082bed87b8ba07613d3f161d0d8c2fefb44069621ff9085909134f985db029449a0ae65a34cfdeb2715ea793c02d22e9e59908425cf30d5df6826f45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltfkqdfpj.vbs
MD5
a15519191226c00b182dcbff584bebf0

SHA1
a84cc0e2fb1ff8c3b4f5be1fb5f630fb56e45b52

SHA256
89166d78f1c5433b3b099976bd10f1999c92620bb0644719557b5a7aa95c906d

SHA512
40ad1891ac93d7636f1e95d9017af8b745d9a02e706fc0fd7a8308c9074ab345e31076e1b40e27a419bc6ced5b14726b72134436e0f451b41a1be18de2b04b33

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
a549bfe1170323076f438b7199bd39da

SHA1
fb893bcde83c6a8544276f464f03ec762cd3ca0a

SHA256
10a7145031d494fa4b85a71bf01ada3362ce77cd94dc8f6bd7c0afcf7797aac8

SHA512
469a623678fe783cac684b61431b8694f88cb23cf048df3e2d3e0f7955f92f79dcc58de03788d7a34c6ec7e9511c0902f72e8484ccf2834bb4275d362d81ceda

Download Submit
\Users\Admin\AppData\Local\Temp\lizard\remedy.exe
MD5
a549bfe1170323076f438b7199bd39da

SHA1
fb893bcde83c6a8544276f464f03ec762cd3ca0a

SHA256
10a7145031d494fa4b85a71bf01ada3362ce77cd94dc8f6bd7c0afcf7797aac8

SHA512
469a623678fe783cac684b61431b8694f88cb23cf048df3e2d3e0f7955f92f79dcc58de03788d7a34c6ec7e9511c0902f72e8484ccf2834bb4275d362d81ceda

Download Submit
\Users\Admin\AppData\Local\Temp\lizard\remedy.exe
MD5
a549bfe1170323076f438b7199bd39da

SHA1
fb893bcde83c6a8544276f464f03ec762cd3ca0a

SHA256
10a7145031d494fa4b85a71bf01ada3362ce77cd94dc8f6bd7c0afcf7797aac8

SHA512
469a623678fe783cac684b61431b8694f88cb23cf048df3e2d3e0f7955f92f79dcc58de03788d7a34c6ec7e9511c0902f72e8484ccf2834bb4275d362d81ceda

Download Submit
\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe
MD5
7acd70f3dfdcd33dbe40603e939fcb79

SHA1
d7f63d7b0a37b3d78d13e8ea783e0aba6507aa20

SHA256
069539fb82534ac72239b2f35f4711cd4ac828d26ab29e159c1082f725b9999d

SHA512
4ef930ac69b82f078084212d6e57ea0522568452aca5e35de3a0b85a99a9dae6209fcd394582ea64ac8d45e9708dffefada5d267254332bfa62da780d968cefc

Download Submit
\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe
MD5
7acd70f3dfdcd33dbe40603e939fcb79

SHA1
d7f63d7b0a37b3d78d13e8ea783e0aba6507aa20

SHA256
069539fb82534ac72239b2f35f4711cd4ac828d26ab29e159c1082f725b9999d

SHA512
4ef930ac69b82f078084212d6e57ea0522568452aca5e35de3a0b85a99a9dae6209fcd394582ea64ac8d45e9708dffefada5d267254332bfa62da780d968cefc

Download Submit
\Users\Admin\AppData\Local\Temp\lizard\simityvp.exe
MD5
7acd70f3dfdcd33dbe40603e939fcb79

SHA1
d7f63d7b0a37b3d78d13e8ea783e0aba6507aa20

SHA256
069539fb82534ac72239b2f35f4711cd4ac828d26ab29e159c1082f725b9999d

SHA512
4ef930ac69b82f078084212d6e57ea0522568452aca5e35de3a0b85a99a9dae6209fcd394582ea64ac8d45e9708dffefada5d267254332bfa62da780d968cefc

Download Submit
\Users\Admin\AppData\Local\Temp\nst34B8.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
a549bfe1170323076f438b7199bd39da

SHA1
fb893bcde83c6a8544276f464f03ec762cd3ca0a

SHA256
10a7145031d494fa4b85a71bf01ada3362ce77cd94dc8f6bd7c0afcf7797aac8

SHA512
469a623678fe783cac684b61431b8694f88cb23cf048df3e2d3e0f7955f92f79dcc58de03788d7a34c6ec7e9511c0902f72e8484ccf2834bb4275d362d81ceda

Download Submit
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
a549bfe1170323076f438b7199bd39da

SHA1
fb893bcde83c6a8544276f464f03ec762cd3ca0a

SHA256
10a7145031d494fa4b85a71bf01ada3362ce77cd94dc8f6bd7c0afcf7797aac8

SHA512
469a623678fe783cac684b61431b8694f88cb23cf048df3e2d3e0f7955f92f79dcc58de03788d7a34c6ec7e9511c0902f72e8484ccf2834bb4275d362d81ceda

Download Submit
\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
MD5
a549bfe1170323076f438b7199bd39da

SHA1
fb893bcde83c6a8544276f464f03ec762cd3ca0a

SHA256
10a7145031d494fa4b85a71bf01ada3362ce77cd94dc8f6bd7c0afcf7797aac8

SHA512
469a623678fe783cac684b61431b8694f88cb23cf048df3e2d3e0f7955f92f79dcc58de03788d7a34c6ec7e9511c0902f72e8484ccf2834bb4275d362d81ceda

Download Submit
memory/576-73-0x000000013FCE0000-0x00000001405F8000-memory.dmp

Filesize
9.1MB

Download
memory/576-71-0x000000013FCE0000-0x00000001405F8000-memory.dmp

Filesize
9.1MB

Download
memory/576-75-0x000007FEFBA71000-0x000007FEFBA73000-memory.dmp

Filesize
8KB

Download
memory/576-58-0x0000000000000000-mapping.dmp

Download
memory/576-72-0x000000013FCE0000-0x00000001405F8000-memory.dmp

Filesize
9.1MB

Download
memory/580-54-0x0000000074F81000-0x0000000074F83000-memory.dmp

Filesize
8KB

Download
memory/852-79-0x0000000000000000-mapping.dmp

Download
memory/852-81-0x000000013F690000-0x000000013FFA8000-memory.dmp

Filesize
9.1MB

Download
memory/852-82-0x000000013F690000-0x000000013FFA8000-memory.dmp

Filesize
9.1MB

Download
memory/852-83-0x000000013F690000-0x000000013FFA8000-memory.dmp

Filesize
9.1MB

Download
memory/944-87-0x0000000000000000-mapping.dmp

Download
memory/1124-69-0x0000000000CE0000-0x00000000013A9000-memory.dmp

Filesize
6.8MB

Download
memory/1124-68-0x0000000000CE0000-0x00000000013A9000-memory.dmp

Filesize
6.8MB

Download
memory/1124-67-0x0000000000CE0000-0x00000000013A9000-memory.dmp

Filesize
6.8MB

Download
memory/1124-61-0x0000000000000000-mapping.dmp

Download
memory/1124-70-0x0000000000CE0000-0x00000000013A9000-memory.dmp

Filesize
6.8MB

Download
memory/1968-84-0x0000000000000000-mapping.dmp

Download