blacknet | 51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

Analysis

max time kernel
31s
max time network
264s
platform
windows10_x64
resource
win10-20220414-en
submitted
15-05-2022 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jusched.exe
Size

11.0MB
MD5

5891817266ffedc10d4a84a3bd483239
SHA1

b59d365a91b50ec55ccc1c1b2a70cbf858382aa3
SHA256

51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465
SHA512

517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23

Score

10^/10

blacknet bot persistence trojan upx

Malware Config

Extracted

Family

blacknet

Version

v3.6.0 Public

Botnet

Bot

http://f0483357.xsph.ru/

Mutex

BN[PHfunXGI-6235724]

Attributes

antivm
true
elevate_uac
false
install_name
jusched.exe
splitter
|BN|
start_name
a5b002eacf54590ec8401ff6d3f920ee
startup
true
usb_spread
true

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe	family_blacknet
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe	family_blacknet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

upx_compresser.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\AudioDriver\\taskhost.exe"	upx_compresser.exe

Executes dropped EXE 9 IoCs

Processes:

svshost.exejusched.exeWinlockerBuilderv5.exeupx_compresser.exesvshost.exeupx_compresser.exeWinlockerBuilderv5.exeupx_compresser.exeupx_compresser.exe

pid	process
4320	svshost.exe
4328	jusched.exe
4408	WinlockerBuilderv5.exe
4768	upx_compresser.exe
5008	svshost.exe
3456	upx_compresser.exe
3424	WinlockerBuilderv5.exe
1668	upx_compresser.exe
3848	upx_compresser.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe	upx
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe	upx
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe	upx
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe	upx
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe	upx
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jusched.exejusched.exeupx_compresser.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jusched.exe"	jusched.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	jusched.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	jusched.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1804997378-2045782378-3882459628-1000\Software\Microsoft\Windows\CurrentVersion\Run\AudioDriver = "C:\\Users\\Admin\\Documents\\AudioDriver\\taskhost.exe"	upx_compresser.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

upx_compresser.exeupx_compresser.exe

description	pid	process	target process
PID 4768 set thread context of 3456	4768	upx_compresser.exe	upx_compresser.exe
PID 1668 set thread context of 3848	1668	upx_compresser.exe	upx_compresser.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

jusched.exejusched.exeupx_compresser.exeupx_compresser.exe

pid	process
2700	jusched.exe
2700	jusched.exe
2700	jusched.exe
2700	jusched.exe
2700	jusched.exe
2700	jusched.exe
2700	jusched.exe
2700	jusched.exe
2700	jusched.exe
2700	jusched.exe
2700	jusched.exe
2700	jusched.exe
2700	jusched.exe
2700	jusched.exe
4328	jusched.exe
4328	jusched.exe
4328	jusched.exe
4328	jusched.exe
4328	jusched.exe
4328	jusched.exe
4328	jusched.exe
4328	jusched.exe
4328	jusched.exe
4328	jusched.exe
4328	jusched.exe
4328	jusched.exe
4328	jusched.exe
4328	jusched.exe
4768	upx_compresser.exe
4768	upx_compresser.exe
1668	upx_compresser.exe
1668	upx_compresser.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

upx_compresser.exeupx_compresser.exe

pid process

4768 upx_compresser.exe
1668 upx_compresser.exe

pid	process
4768	upx_compresser.exe
1668	upx_compresser.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

jusched.exejusched.exeupx_compresser.exe

description	pid	process
Token: SeDebugPrivilege	2700	jusched.exe
Token: SeDebugPrivilege	4328	jusched.exe
Token: SeIncreaseQuotaPrivilege	3456	upx_compresser.exe
Token: SeSecurityPrivilege	3456	upx_compresser.exe
Token: SeTakeOwnershipPrivilege	3456	upx_compresser.exe
Token: SeLoadDriverPrivilege	3456	upx_compresser.exe
Token: SeSystemProfilePrivilege	3456	upx_compresser.exe
Token: SeSystemtimePrivilege	3456	upx_compresser.exe
Token: SeProfSingleProcessPrivilege	3456	upx_compresser.exe
Token: SeIncBasePriorityPrivilege	3456	upx_compresser.exe
Token: SeCreatePagefilePrivilege	3456	upx_compresser.exe
Token: SeBackupPrivilege	3456	upx_compresser.exe
Token: SeRestorePrivilege	3456	upx_compresser.exe
Token: SeShutdownPrivilege	3456	upx_compresser.exe
Token: SeDebugPrivilege	3456	upx_compresser.exe
Token: SeSystemEnvironmentPrivilege	3456	upx_compresser.exe
Token: SeChangeNotifyPrivilege	3456	upx_compresser.exe
Token: SeRemoteShutdownPrivilege	3456	upx_compresser.exe
Token: SeUndockPrivilege	3456	upx_compresser.exe
Token: SeManageVolumePrivilege	3456	upx_compresser.exe
Token: SeImpersonatePrivilege	3456	upx_compresser.exe
Token: SeCreateGlobalPrivilege	3456	upx_compresser.exe
Token: 33	3456	upx_compresser.exe
Token: 34	3456	upx_compresser.exe
Token: 35	3456	upx_compresser.exe
Token: 36	3456	upx_compresser.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

jusched.exejusched.exeWinlockerBuilderv5.exeWinlockerBuilderv5.exe

pid process

2700 jusched.exe
2700 jusched.exe
4328 jusched.exe
4328 jusched.exe
4408 WinlockerBuilderv5.exe
3424 WinlockerBuilderv5.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

jusched.exesvshost.exejusched.exeupx_compresser.exeupx_compresser.exe

description	pid	process	target process
PID 2700 wrote to memory of 4328	2700	jusched.exe	jusched.exe
PID 2700 wrote to memory of 4328	2700	jusched.exe	jusched.exe
PID 2700 wrote to memory of 4320	2700	jusched.exe	svshost.exe
PID 2700 wrote to memory of 4320	2700	jusched.exe	svshost.exe
PID 2700 wrote to memory of 4320	2700	jusched.exe	svshost.exe
PID 4320 wrote to memory of 4408	4320	svshost.exe	WinlockerBuilderv5.exe
PID 4320 wrote to memory of 4408	4320	svshost.exe	WinlockerBuilderv5.exe
PID 4320 wrote to memory of 4408	4320	svshost.exe	WinlockerBuilderv5.exe
PID 4320 wrote to memory of 4768	4320	svshost.exe	upx_compresser.exe
PID 4320 wrote to memory of 4768	4320	svshost.exe	upx_compresser.exe
PID 4320 wrote to memory of 4768	4320	svshost.exe	upx_compresser.exe
PID 4328 wrote to memory of 5008	4328	jusched.exe	svshost.exe
PID 4328 wrote to memory of 5008	4328	jusched.exe	svshost.exe
PID 4328 wrote to memory of 5008	4328	jusched.exe	svshost.exe
PID 4768 wrote to memory of 3456	4768	upx_compresser.exe	upx_compresser.exe
PID 4768 wrote to memory of 3456	4768	upx_compresser.exe	upx_compresser.exe
PID 4768 wrote to memory of 3456	4768	upx_compresser.exe	upx_compresser.exe
PID 5008 wrote to memory of 3424	5008		WinlockerBuilderv5.exe
PID 5008 wrote to memory of 3424	5008		WinlockerBuilderv5.exe
PID 5008 wrote to memory of 3424	5008		WinlockerBuilderv5.exe
PID 5008 wrote to memory of 1668	5008		upx_compresser.exe
PID 5008 wrote to memory of 1668	5008		upx_compresser.exe
PID 5008 wrote to memory of 1668	5008		upx_compresser.exe
PID 1668 wrote to memory of 3848	1668	upx_compresser.exe	upx_compresser.exe
PID 1668 wrote to memory of 3848	1668	upx_compresser.exe	upx_compresser.exe
PID 1668 wrote to memory of 3848	1668	upx_compresser.exe	upx_compresser.exe

C:\Users\Admin\AppData\Local\Temp\jusched.exe
"C:\Users\Admin\AppData\Local\Temp\jusched.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\svshost.exe
"C:\Users\Admin\AppData\Local\Temp\svshost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4320

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4768

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Users\Admin\Documents\AudioDriver\taskhost.exe
"C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
5⤵
PID:4380

C:\Users\Admin\Documents\AudioDriver\taskhost.exe
"C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
6⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4328

C:\Users\Admin\AppData\Local\Temp\svshost.exe
"C:\Users\Admin\AppData\Local\Temp\svshost.exe"
3⤵
- Executes dropped EXE
PID:5008

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3424

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
5⤵
- Executes dropped EXE
PID:3848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\svshost.exe
"C:\Users\Admin\AppData\Local\Temp\svshost.exe"
1⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
2⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
2⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
3⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\Winlock.exe
"C:\Users\Admin\AppData\Local\Temp\Winlock.exe"
1⤵
PID:4404

C:\Windows\SysWOW64\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
2⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
1⤵
PID:4876

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ad6055 /state1:0x41c64e6d
1⤵
PID:5008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:3636

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:3080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
Filesize
11.0MB

MD5
5891817266ffedc10d4a84a3bd483239

SHA1
b59d365a91b50ec55ccc1c1b2a70cbf858382aa3

SHA256
51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

SHA512
517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
Filesize
11.0MB

MD5
5891817266ffedc10d4a84a3bd483239

SHA1
b59d365a91b50ec55ccc1c1b2a70cbf858382aa3

SHA256
51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

SHA512
517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winlock.exe
Filesize
1.3MB

MD5
9c9e4d7b892b219f3a176c72a6c5faa1

SHA1
266c4163f35302e9a84ca04e4d332bdb384c37a4

SHA256
2e8c7b45d174cbc93194d4c4531434855087fc360bb086d48e5fdcb6802711c6

SHA512
c2fc0dad56c0e4414534892daca9fe2b2f22b3ff2c249bf8969648f02f402997b8af2173523e59452a0bd63dffb7e48a482426769f5076382cafa91ee5613ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winlock.exe
Filesize
1.3MB

MD5
9c9e4d7b892b219f3a176c72a6c5faa1

SHA1
266c4163f35302e9a84ca04e4d332bdb384c37a4

SHA256
2e8c7b45d174cbc93194d4c4531434855087fc360bb086d48e5fdcb6802711c6

SHA512
c2fc0dad56c0e4414534892daca9fe2b2f22b3ff2c249bf8969648f02f402997b8af2173523e59452a0bd63dffb7e48a482426769f5076382cafa91ee5613ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
Filesize
3.0MB

MD5
0df533cb9a581de63e3522954a681603

SHA1
be46afa245289e0d9a84bd1fd1faea8d8c96da5e

SHA256
e3570b276e526f6fb6a289da32583b36cfbd98ec2f59d09c0243fbd0fc0805a3

SHA512
c973e3a8476879dad79f8b37f476d379b90f27cf64ecd359256df94fb811d69226dc50d1e8168d34787cc2d6abf407d8097e37cd60155650dad007a68263661e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
Filesize
3.0MB

MD5
0df533cb9a581de63e3522954a681603

SHA1
be46afa245289e0d9a84bd1fd1faea8d8c96da5e

SHA256
e3570b276e526f6fb6a289da32583b36cfbd98ec2f59d09c0243fbd0fc0805a3

SHA512
c973e3a8476879dad79f8b37f476d379b90f27cf64ecd359256df94fb811d69226dc50d1e8168d34787cc2d6abf407d8097e37cd60155650dad007a68263661e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
Filesize
3.0MB

MD5
0df533cb9a581de63e3522954a681603

SHA1
be46afa245289e0d9a84bd1fd1faea8d8c96da5e

SHA256
e3570b276e526f6fb6a289da32583b36cfbd98ec2f59d09c0243fbd0fc0805a3

SHA512
c973e3a8476879dad79f8b37f476d379b90f27cf64ecd359256df94fb811d69226dc50d1e8168d34787cc2d6abf407d8097e37cd60155650dad007a68263661e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
Filesize
3.0MB

MD5
0df533cb9a581de63e3522954a681603

SHA1
be46afa245289e0d9a84bd1fd1faea8d8c96da5e

SHA256
e3570b276e526f6fb6a289da32583b36cfbd98ec2f59d09c0243fbd0fc0805a3

SHA512
c973e3a8476879dad79f8b37f476d379b90f27cf64ecd359256df94fb811d69226dc50d1e8168d34787cc2d6abf407d8097e37cd60155650dad007a68263661e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
Filesize
3.0MB

MD5
0df533cb9a581de63e3522954a681603

SHA1
be46afa245289e0d9a84bd1fd1faea8d8c96da5e

SHA256
e3570b276e526f6fb6a289da32583b36cfbd98ec2f59d09c0243fbd0fc0805a3

SHA512
c973e3a8476879dad79f8b37f476d379b90f27cf64ecd359256df94fb811d69226dc50d1e8168d34787cc2d6abf407d8097e37cd60155650dad007a68263661e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
Filesize
3.0MB

MD5
0df533cb9a581de63e3522954a681603

SHA1
be46afa245289e0d9a84bd1fd1faea8d8c96da5e

SHA256
e3570b276e526f6fb6a289da32583b36cfbd98ec2f59d09c0243fbd0fc0805a3

SHA512
c973e3a8476879dad79f8b37f476d379b90f27cf64ecd359256df94fb811d69226dc50d1e8168d34787cc2d6abf407d8097e37cd60155650dad007a68263661e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe
Filesize
4.0MB

MD5
2df0daacf8be5126ddbaa7ba9a83be58

SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3

SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a

SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe
Filesize
4.0MB

MD5
2df0daacf8be5126ddbaa7ba9a83be58

SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3

SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a

SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe
Filesize
4.0MB

MD5
2df0daacf8be5126ddbaa7ba9a83be58

SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3

SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a

SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe
Filesize
4.0MB

MD5
2df0daacf8be5126ddbaa7ba9a83be58

SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3

SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a

SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe
Filesize
4.0MB

MD5
2df0daacf8be5126ddbaa7ba9a83be58

SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3

SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a

SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\Documents\AudioDriver\taskhost.exe
Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\Documents\AudioDriver\taskhost.exe
Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\Documents\AudioDriver\taskhost.exe
Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
memory/1216-712-0x0000000000000000-mapping.dmp

Download
memory/1280-931-0x0000000000000000-mapping.dmp

Download
memory/1668-330-0x0000000000000000-mapping.dmp

Download
memory/1668-427-0x0000000000530000-0x00000000005DE000-memory.dmp

Filesize
696KB

Download
memory/2700-118-0x00007FF9BA9C0000-0x00007FF9BB3F3000-memory.dmp

Filesize
10.2MB

Download
memory/2700-119-0x000000000123A000-0x000000000123F000-memory.dmp

Filesize
20KB

Download
memory/3424-327-0x0000000000000000-mapping.dmp

Download
memory/3456-306-0x000000000048F888-mapping.dmp

Download
memory/3848-445-0x000000000048F888-mapping.dmp

Download
memory/4320-145-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-138-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-154-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-155-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-156-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-157-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-158-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-159-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-160-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-161-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-162-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-163-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-164-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-165-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-166-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-167-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-168-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-169-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-170-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-171-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-121-0x0000000000000000-mapping.dmp

Download
memory/4320-152-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-125-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-127-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-128-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-129-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-130-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-131-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-132-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-135-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-134-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-136-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-137-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-139-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-140-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-141-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-142-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-151-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-143-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-144-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-150-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-146-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-147-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-149-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4320-148-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4328-126-0x00007FF9BA9C0000-0x00007FF9BB3F3000-memory.dmp

Filesize
10.2MB

Download
memory/4328-153-0x0000000002CCA000-0x0000000002CCF000-memory.dmp

Filesize
20KB

Download
memory/4328-120-0x0000000000000000-mapping.dmp

Download
memory/4380-549-0x0000000000000000-mapping.dmp

Download
memory/4408-184-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-174-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-188-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-194-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-181-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-172-0x0000000000000000-mapping.dmp

Download
memory/4408-191-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-175-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-192-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-190-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-176-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-178-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-186-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4408-193-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4616-709-0x0000000000000000-mapping.dmp

Download
memory/4712-862-0x000000000048F888-mapping.dmp

Download
memory/4768-189-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4768-180-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4768-182-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4768-185-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4768-183-0x00000000773B0000-0x000000007753E000-memory.dmp

Filesize
1.6MB

Download
memory/4768-177-0x0000000000000000-mapping.dmp

Download
memory/4768-301-0x00000000006E0000-0x00000000006E9000-memory.dmp

Filesize
36KB

Download
memory/5008-217-0x0000000000000000-mapping.dmp

Download
memory/5072-601-0x000000000048F888-mapping.dmp

Download