cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c

Analysis

max time kernel
96s
max time network
94s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe
Size

645KB
MD5

550fbcd1774a4f27495f6b629d24057a
SHA1

41fee316aae8c639e2b90013cabad4ec133c7fc0
SHA256

cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c
SHA512

bba4b5a6d704541f62aa7a271a3007f1fbecda487ec664101b034964ad826d5fcada4a9d355ed94543f039e5b71d8848b2c9210f99cca790b116327294e860a1
SSDEEP

12288:eRRbwLC2zgOEntneFQxalV36HmQTvtYUYIGCw/8PT4gwDG3Kgt7o9:wMn0OE5SV36rTms13JK9

Score

10^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

H576S7OcbFMSL4lbA6c9.exeliegao.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	H576S7OcbFMSL4lbA6c9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	liegao.exe

Executes dropped EXE 4 IoCs

Processes:

H576S7OcbFMSL4lbA6c9.exejob.exejoc.exeliegao.exe

pid process

1356 H576S7OcbFMSL4lbA6c9.exe
964 job.exe
1572 joc.exe
1032 liegao.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

968 cmd.exe

pid	process
968	cmd.exe

Loads dropped DLL 16 IoCs

Processes:

cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exerundll32.exerundll32.exeH576S7OcbFMSL4lbA6c9.exe

pid	process
1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe
1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe
1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe
1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe
1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe
1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe
1984	rundll32.exe
1984	rundll32.exe
1984	rundll32.exe
1984	rundll32.exe
1932	rundll32.exe
1932	rundll32.exe
1932	rundll32.exe
1932	rundll32.exe
1356	H576S7OcbFMSL4lbA6c9.exe
1356	H576S7OcbFMSL4lbA6c9.exe

Adds Run key to start application 2 TTPs 21 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

liegao.exeH576S7OcbFMSL4lbA6c9.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /D"	liegao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /m"	liegao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /I"	liegao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /X"	liegao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /C"	liegao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /F"	liegao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /e"	liegao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /J"	liegao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /K"	H576S7OcbFMSL4lbA6c9.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	liegao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /O"	liegao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /G"	liegao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /y"	liegao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /E"	liegao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /q"	liegao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /g"	liegao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lzololacihire = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\UShFWilt.dll\",Startup"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	H576S7OcbFMSL4lbA6c9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /n"	liegao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /j"	liegao.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\liegao = "C:\\Users\\Admin\\liegao.exe /t"	liegao.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

job.exe

description ioc process

File opened for modification \??\physicaldrive0 job.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1676 tasklist.exe

description	ioc	process
File opened for modification	\??\physicaldrive0	job.exe

pid	process
1676	tasklist.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

H576S7OcbFMSL4lbA6c9.exerundll32.exeliegao.exe

pid	process
1356	H576S7OcbFMSL4lbA6c9.exe
1984	rundll32.exe
1984	rundll32.exe
1356	H576S7OcbFMSL4lbA6c9.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1984	rundll32.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe
1032	liegao.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

job.exetasklist.exerundll32.exe

description	pid	process
Token: SeShutdownPrivilege	964	job.exe
Token: SeDebugPrivilege	1676	tasklist.exe
Token: SeRestorePrivilege	1932	rundll32.exe
Token: SeRestorePrivilege	1932	rundll32.exe
Token: SeRestorePrivilege	1932	rundll32.exe
Token: SeRestorePrivilege	1932	rundll32.exe
Token: SeRestorePrivilege	1932	rundll32.exe
Token: SeRestorePrivilege	1932	rundll32.exe
Token: SeRestorePrivilege	1932	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

H576S7OcbFMSL4lbA6c9.exeliegao.exe

pid process

1356 H576S7OcbFMSL4lbA6c9.exe
1032 liegao.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exejoc.exerundll32.exeH576S7OcbFMSL4lbA6c9.execmd.exeliegao.exe

description	pid	process	target process
PID 1384 wrote to memory of 1356	1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe	H576S7OcbFMSL4lbA6c9.exe
PID 1384 wrote to memory of 1356	1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe	H576S7OcbFMSL4lbA6c9.exe
PID 1384 wrote to memory of 1356	1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe	H576S7OcbFMSL4lbA6c9.exe
PID 1384 wrote to memory of 1356	1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe	H576S7OcbFMSL4lbA6c9.exe
PID 1384 wrote to memory of 964	1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe	job.exe
PID 1384 wrote to memory of 964	1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe	job.exe
PID 1384 wrote to memory of 964	1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe	job.exe
PID 1384 wrote to memory of 964	1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe	job.exe
PID 1384 wrote to memory of 1572	1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe	joc.exe
PID 1384 wrote to memory of 1572	1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe	joc.exe
PID 1384 wrote to memory of 1572	1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe	joc.exe
PID 1384 wrote to memory of 1572	1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe	joc.exe
PID 1384 wrote to memory of 968	1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe	cmd.exe
PID 1384 wrote to memory of 968	1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe	cmd.exe
PID 1384 wrote to memory of 968	1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe	cmd.exe
PID 1384 wrote to memory of 968	1384	cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe	cmd.exe
PID 1572 wrote to memory of 1984	1572	joc.exe	rundll32.exe
PID 1572 wrote to memory of 1984	1572	joc.exe	rundll32.exe
PID 1572 wrote to memory of 1984	1572	joc.exe	rundll32.exe
PID 1572 wrote to memory of 1984	1572	joc.exe	rundll32.exe
PID 1572 wrote to memory of 1984	1572	joc.exe	rundll32.exe
PID 1572 wrote to memory of 1984	1572	joc.exe	rundll32.exe
PID 1572 wrote to memory of 1984	1572	joc.exe	rundll32.exe
PID 1984 wrote to memory of 1932	1984	rundll32.exe	rundll32.exe
PID 1984 wrote to memory of 1932	1984	rundll32.exe	rundll32.exe
PID 1984 wrote to memory of 1932	1984	rundll32.exe	rundll32.exe
PID 1984 wrote to memory of 1932	1984	rundll32.exe	rundll32.exe
PID 1984 wrote to memory of 1932	1984	rundll32.exe	rundll32.exe
PID 1984 wrote to memory of 1932	1984	rundll32.exe	rundll32.exe
PID 1984 wrote to memory of 1932	1984	rundll32.exe	rundll32.exe
PID 1356 wrote to memory of 1032	1356	H576S7OcbFMSL4lbA6c9.exe	liegao.exe
PID 1356 wrote to memory of 1032	1356	H576S7OcbFMSL4lbA6c9.exe	liegao.exe
PID 1356 wrote to memory of 1032	1356	H576S7OcbFMSL4lbA6c9.exe	liegao.exe
PID 1356 wrote to memory of 1032	1356	H576S7OcbFMSL4lbA6c9.exe	liegao.exe
PID 1356 wrote to memory of 2032	1356	H576S7OcbFMSL4lbA6c9.exe	cmd.exe
PID 1356 wrote to memory of 2032	1356	H576S7OcbFMSL4lbA6c9.exe	cmd.exe
PID 1356 wrote to memory of 2032	1356	H576S7OcbFMSL4lbA6c9.exe	cmd.exe
PID 1356 wrote to memory of 2032	1356	H576S7OcbFMSL4lbA6c9.exe	cmd.exe
PID 2032 wrote to memory of 1676	2032	cmd.exe	tasklist.exe
PID 2032 wrote to memory of 1676	2032	cmd.exe	tasklist.exe
PID 2032 wrote to memory of 1676	2032	cmd.exe	tasklist.exe
PID 2032 wrote to memory of 1676	2032	cmd.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe
PID 1032 wrote to memory of 1676	1032	liegao.exe	tasklist.exe

C:\Users\Admin\AppData\Local\Temp\cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe
"C:\Users\Admin\AppData\Local\Temp\cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\H576S7OcbFMSL4lbA6c9.exe
H576S7OcbFMSL4lbA6c9.exe
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\liegao.exe
"C:\Users\Admin\liegao.exe"
3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del H576S7OcbFMSL4lbA6c9.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Users\Admin\job.exe
job.exe
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Users\Admin\joc.exe
joc.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\UShFWilt.dll",Startup
3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\UShFWilt.dll",iep
4⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd /c del cc794417a1ea7304185eb15fd5df4acedf7be20a2d053780552b17acc4ea960c.exe
2⤵
- Deletes itself
PID:968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\UShFWilt.dll

Filesize
109KB

MD5
c0b9e3a8efac7b06f3c1d0728ade262d

SHA1
9ec3e310abbccb247390d250ae0887ee06b55515

SHA256
860147dbef8d0c08371b9137bf627c1974b3cbd5904fbadbfbcfeaf292d77b06

SHA512
8a8b13756118e337ef8bc103f308f502f78efc915999173eef12115a30a98221b4858e6d0e806e6a897feba23531305147f2984a2e6a5cd1790a47745233e197

Download Submit
C:\Users\Admin\H576S7OcbFMSL4lbA6c9.exe

Filesize
132KB

MD5
c17630f33b3ae8508ee24c2f910ebc8e

SHA1
66b9dcea656feb35234fe35a6c1d831b06f665a2

SHA256
d8013736d35ec810f213d09270f2bbd3f87505900cc8ed4d16d6c18eafcad9fb

SHA512
ca256e72ccdf366bc1801f56dc3724dea1b7cdcc546627f199aeb7abbf2ad25b3162a238d375da404117417cab021f5794f431e1b5220804451655e2f9375a51

Download Submit
C:\Users\Admin\H576S7OcbFMSL4lbA6c9.exe

Filesize
132KB

MD5
c17630f33b3ae8508ee24c2f910ebc8e

SHA1
66b9dcea656feb35234fe35a6c1d831b06f665a2

SHA256
d8013736d35ec810f213d09270f2bbd3f87505900cc8ed4d16d6c18eafcad9fb

SHA512
ca256e72ccdf366bc1801f56dc3724dea1b7cdcc546627f199aeb7abbf2ad25b3162a238d375da404117417cab021f5794f431e1b5220804451655e2f9375a51

Download Submit
C:\Users\Admin\job.exe

Filesize
177KB

MD5
2f0c6d4c58ed356e8ca16499260250fd

SHA1
5351a4d7e65ee768b49ceb7885ebfc1efc53d10d

SHA256
8b92d5a0b0b480ead51f60df0b2638ee214f71152bcb3dfad0509b2b0fc956b9

SHA512
1bb21b0b0bd80017e12f83b153826f4f93ea8550c7810ba34671e20231e3303977466e73081df3969db43c40b4217eeb52968eb01a87ace0dfa2e2b01d6e7ed0

Download Submit
C:\Users\Admin\job.exe

Filesize
177KB

MD5
2f0c6d4c58ed356e8ca16499260250fd

SHA1
5351a4d7e65ee768b49ceb7885ebfc1efc53d10d

SHA256
8b92d5a0b0b480ead51f60df0b2638ee214f71152bcb3dfad0509b2b0fc956b9

SHA512
1bb21b0b0bd80017e12f83b153826f4f93ea8550c7810ba34671e20231e3303977466e73081df3969db43c40b4217eeb52968eb01a87ace0dfa2e2b01d6e7ed0

Download Submit
C:\Users\Admin\joc.exe

Filesize
109KB

MD5
f917c58a1f8d689408f37eac2e9765a7

SHA1
e1d5cbbbf0cc0953f89ab8dd873307a78988485a

SHA256
d4e1b453dc70d6296e90cf0c2bc6d3ca265e1e899078d4eaec79d2dc0199909c

SHA512
119b92c1824c96337606b833bd971feaad5a20815994d4cffcd441d358b847101295c78fff456997b311af457a09c187658d517d8486177ecf72f0b0212c52d0

Download Submit
C:\Users\Admin\joc.exe

Filesize
109KB

MD5
f917c58a1f8d689408f37eac2e9765a7

SHA1
e1d5cbbbf0cc0953f89ab8dd873307a78988485a

SHA256
d4e1b453dc70d6296e90cf0c2bc6d3ca265e1e899078d4eaec79d2dc0199909c

SHA512
119b92c1824c96337606b833bd971feaad5a20815994d4cffcd441d358b847101295c78fff456997b311af457a09c187658d517d8486177ecf72f0b0212c52d0

Download Submit
C:\Users\Admin\liegao.exe

Filesize
132KB

MD5
0c866a05688bc2d7986d22bec5fd3abd

SHA1
aa177fef90e94ba566cdddfc00b6bc06240d2464

SHA256
0f4fd5a44d5bcc4bd8bb4e3f7762b9cdace51d61a80014688998cf038f056fe9

SHA512
c273a171b34f8d01848fd1a9ed5658f068dd594774d4ebb9ef3641a4e0c1576513439e3a8b4d6cfcff4ca356862f0c85fbc6a56293b89b262af97590c0266cbf

Download Submit
C:\Users\Admin\liegao.exe

Filesize
132KB

MD5
0c866a05688bc2d7986d22bec5fd3abd

SHA1
aa177fef90e94ba566cdddfc00b6bc06240d2464

SHA256
0f4fd5a44d5bcc4bd8bb4e3f7762b9cdace51d61a80014688998cf038f056fe9

SHA512
c273a171b34f8d01848fd1a9ed5658f068dd594774d4ebb9ef3641a4e0c1576513439e3a8b4d6cfcff4ca356862f0c85fbc6a56293b89b262af97590c0266cbf

Download Submit
\Users\Admin\AppData\Local\UShFWilt.dll

Filesize
109KB

MD5
c0b9e3a8efac7b06f3c1d0728ade262d

SHA1
9ec3e310abbccb247390d250ae0887ee06b55515

SHA256
860147dbef8d0c08371b9137bf627c1974b3cbd5904fbadbfbcfeaf292d77b06

SHA512
8a8b13756118e337ef8bc103f308f502f78efc915999173eef12115a30a98221b4858e6d0e806e6a897feba23531305147f2984a2e6a5cd1790a47745233e197

Download Submit
\Users\Admin\AppData\Local\UShFWilt.dll

Filesize
109KB

MD5
c0b9e3a8efac7b06f3c1d0728ade262d

SHA1
9ec3e310abbccb247390d250ae0887ee06b55515

SHA256
860147dbef8d0c08371b9137bf627c1974b3cbd5904fbadbfbcfeaf292d77b06

SHA512
8a8b13756118e337ef8bc103f308f502f78efc915999173eef12115a30a98221b4858e6d0e806e6a897feba23531305147f2984a2e6a5cd1790a47745233e197

Download Submit
\Users\Admin\AppData\Local\UShFWilt.dll

Filesize
109KB

MD5
c0b9e3a8efac7b06f3c1d0728ade262d

SHA1
9ec3e310abbccb247390d250ae0887ee06b55515

SHA256
860147dbef8d0c08371b9137bf627c1974b3cbd5904fbadbfbcfeaf292d77b06

SHA512
8a8b13756118e337ef8bc103f308f502f78efc915999173eef12115a30a98221b4858e6d0e806e6a897feba23531305147f2984a2e6a5cd1790a47745233e197

Download Submit
\Users\Admin\AppData\Local\UShFWilt.dll

Filesize
109KB

MD5
c0b9e3a8efac7b06f3c1d0728ade262d

SHA1
9ec3e310abbccb247390d250ae0887ee06b55515

SHA256
860147dbef8d0c08371b9137bf627c1974b3cbd5904fbadbfbcfeaf292d77b06

SHA512
8a8b13756118e337ef8bc103f308f502f78efc915999173eef12115a30a98221b4858e6d0e806e6a897feba23531305147f2984a2e6a5cd1790a47745233e197

Download Submit
\Users\Admin\AppData\Local\UShFWilt.dll

Filesize
109KB

MD5
c0b9e3a8efac7b06f3c1d0728ade262d

SHA1
9ec3e310abbccb247390d250ae0887ee06b55515

SHA256
860147dbef8d0c08371b9137bf627c1974b3cbd5904fbadbfbcfeaf292d77b06

SHA512
8a8b13756118e337ef8bc103f308f502f78efc915999173eef12115a30a98221b4858e6d0e806e6a897feba23531305147f2984a2e6a5cd1790a47745233e197

Download Submit
\Users\Admin\AppData\Local\UShFWilt.dll

Filesize
109KB

MD5
c0b9e3a8efac7b06f3c1d0728ade262d

SHA1
9ec3e310abbccb247390d250ae0887ee06b55515

SHA256
860147dbef8d0c08371b9137bf627c1974b3cbd5904fbadbfbcfeaf292d77b06

SHA512
8a8b13756118e337ef8bc103f308f502f78efc915999173eef12115a30a98221b4858e6d0e806e6a897feba23531305147f2984a2e6a5cd1790a47745233e197

Download Submit
\Users\Admin\AppData\Local\UShFWilt.dll

Filesize
109KB

MD5
c0b9e3a8efac7b06f3c1d0728ade262d

SHA1
9ec3e310abbccb247390d250ae0887ee06b55515

SHA256
860147dbef8d0c08371b9137bf627c1974b3cbd5904fbadbfbcfeaf292d77b06

SHA512
8a8b13756118e337ef8bc103f308f502f78efc915999173eef12115a30a98221b4858e6d0e806e6a897feba23531305147f2984a2e6a5cd1790a47745233e197

Download Submit
\Users\Admin\AppData\Local\UShFWilt.dll

Filesize
109KB

MD5
c0b9e3a8efac7b06f3c1d0728ade262d

SHA1
9ec3e310abbccb247390d250ae0887ee06b55515

SHA256
860147dbef8d0c08371b9137bf627c1974b3cbd5904fbadbfbcfeaf292d77b06

SHA512
8a8b13756118e337ef8bc103f308f502f78efc915999173eef12115a30a98221b4858e6d0e806e6a897feba23531305147f2984a2e6a5cd1790a47745233e197

Download Submit
\Users\Admin\H576S7OcbFMSL4lbA6c9.exe

Filesize
132KB

MD5
c17630f33b3ae8508ee24c2f910ebc8e

SHA1
66b9dcea656feb35234fe35a6c1d831b06f665a2

SHA256
d8013736d35ec810f213d09270f2bbd3f87505900cc8ed4d16d6c18eafcad9fb

SHA512
ca256e72ccdf366bc1801f56dc3724dea1b7cdcc546627f199aeb7abbf2ad25b3162a238d375da404117417cab021f5794f431e1b5220804451655e2f9375a51

Download Submit
\Users\Admin\H576S7OcbFMSL4lbA6c9.exe

Filesize
132KB

MD5
c17630f33b3ae8508ee24c2f910ebc8e

SHA1
66b9dcea656feb35234fe35a6c1d831b06f665a2

SHA256
d8013736d35ec810f213d09270f2bbd3f87505900cc8ed4d16d6c18eafcad9fb

SHA512
ca256e72ccdf366bc1801f56dc3724dea1b7cdcc546627f199aeb7abbf2ad25b3162a238d375da404117417cab021f5794f431e1b5220804451655e2f9375a51

Download Submit
\Users\Admin\job.exe

Filesize
177KB

MD5
2f0c6d4c58ed356e8ca16499260250fd

SHA1
5351a4d7e65ee768b49ceb7885ebfc1efc53d10d

SHA256
8b92d5a0b0b480ead51f60df0b2638ee214f71152bcb3dfad0509b2b0fc956b9

SHA512
1bb21b0b0bd80017e12f83b153826f4f93ea8550c7810ba34671e20231e3303977466e73081df3969db43c40b4217eeb52968eb01a87ace0dfa2e2b01d6e7ed0

Download Submit
\Users\Admin\job.exe

Filesize
177KB

MD5
2f0c6d4c58ed356e8ca16499260250fd

SHA1
5351a4d7e65ee768b49ceb7885ebfc1efc53d10d

SHA256
8b92d5a0b0b480ead51f60df0b2638ee214f71152bcb3dfad0509b2b0fc956b9

SHA512
1bb21b0b0bd80017e12f83b153826f4f93ea8550c7810ba34671e20231e3303977466e73081df3969db43c40b4217eeb52968eb01a87ace0dfa2e2b01d6e7ed0

Download Submit
\Users\Admin\joc.exe

Filesize
109KB

MD5
f917c58a1f8d689408f37eac2e9765a7

SHA1
e1d5cbbbf0cc0953f89ab8dd873307a78988485a

SHA256
d4e1b453dc70d6296e90cf0c2bc6d3ca265e1e899078d4eaec79d2dc0199909c

SHA512
119b92c1824c96337606b833bd971feaad5a20815994d4cffcd441d358b847101295c78fff456997b311af457a09c187658d517d8486177ecf72f0b0212c52d0

Download Submit
\Users\Admin\joc.exe

Filesize
109KB

MD5
f917c58a1f8d689408f37eac2e9765a7

SHA1
e1d5cbbbf0cc0953f89ab8dd873307a78988485a

SHA256
d4e1b453dc70d6296e90cf0c2bc6d3ca265e1e899078d4eaec79d2dc0199909c

SHA512
119b92c1824c96337606b833bd971feaad5a20815994d4cffcd441d358b847101295c78fff456997b311af457a09c187658d517d8486177ecf72f0b0212c52d0

Download Submit
\Users\Admin\liegao.exe

Filesize
132KB

MD5
0c866a05688bc2d7986d22bec5fd3abd

SHA1
aa177fef90e94ba566cdddfc00b6bc06240d2464

SHA256
0f4fd5a44d5bcc4bd8bb4e3f7762b9cdace51d61a80014688998cf038f056fe9

SHA512
c273a171b34f8d01848fd1a9ed5658f068dd594774d4ebb9ef3641a4e0c1576513439e3a8b4d6cfcff4ca356862f0c85fbc6a56293b89b262af97590c0266cbf

Download Submit
\Users\Admin\liegao.exe

Filesize
132KB

MD5
0c866a05688bc2d7986d22bec5fd3abd

SHA1
aa177fef90e94ba566cdddfc00b6bc06240d2464

SHA256
0f4fd5a44d5bcc4bd8bb4e3f7762b9cdace51d61a80014688998cf038f056fe9

SHA512
c273a171b34f8d01848fd1a9ed5658f068dd594774d4ebb9ef3641a4e0c1576513439e3a8b4d6cfcff4ca356862f0c85fbc6a56293b89b262af97590c0266cbf

Download Submit
memory/964-68-0x0000000000160000-0x00000000001B9000-memory.dmp

Filesize
356KB

Download
memory/964-79-0x0000000000160000-0x00000000001B9000-memory.dmp

Filesize
356KB

Download
memory/964-77-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/964-60-0x0000000000000000-mapping.dmp

Download
memory/968-74-0x0000000000000000-mapping.dmp

Download
memory/1032-99-0x0000000000000000-mapping.dmp

Download
memory/1356-56-0x0000000000000000-mapping.dmp

Download
memory/1572-66-0x0000000076701000-0x0000000076703000-memory.dmp

Filesize
8KB

Download
memory/1572-64-0x0000000000000000-mapping.dmp

Download
memory/1572-67-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1572-78-0x0000000001FB1000-0x0000000001FBE000-memory.dmp

Filesize
52KB

Download
memory/1676-106-0x0000000000000000-mapping.dmp

Download
memory/1932-95-0x00000000022C1000-0x00000000022CE000-memory.dmp

Filesize
52KB

Download
memory/1932-88-0x0000000000000000-mapping.dmp

Download
memory/1984-85-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/1984-87-0x0000000002171000-0x000000000217E000-memory.dmp

Filesize
52KB

Download
memory/1984-75-0x0000000000000000-mapping.dmp

Download
memory/2032-105-0x0000000000000000-mapping.dmp

Download