asyncrat | 80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21.exe
Size

7.7MB
MD5

41ab78eba18f74db196c3876f49179a8
SHA1

d0b573aafe0ae84468027929ca77f3013e8edeee
SHA256

80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21
SHA512

d37d91027df02cd3cd9799f183ffb21955933b27abd7810593bc33df18ac321c166d5a378ba9f50a34c907a1f3071b5b8370c6329f3d7ec223a240e8992dc68c
SSDEEP

98304:vXYJ3MN/dOFAjqbqLSRlFNjZUlzCCgOU4dcRTzJ1dX/jC7PYxg5N0arG2sD0+9h0:AJcbvq+SrVXCJUs+TzJLLpILrXs

Score

10^/10

asyncrat xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Attributes

Install_directory
%ProgramData%
install_file
SecurityHealthSystray.exe
telegram
https://api.telegram.org/bot5370417334:AAEZrEauqhTNZInhZ9_-SaapQJIi0hIvjJU

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018aa3-35.dat	family_xworm
behavioral1/memory/2340-41-0x00000000012D0000-0x0000000001334000-memory.dmp	family_xworm
behavioral1/files/0x0007000000018aa3-32.dat	family_xworm
behavioral1/files/0x000c000000003d5f-135.dat	family_xworm
behavioral1/memory/2632-144-0x00000000008E0000-0x0000000000944000-memory.dmp	family_xworm
behavioral1/files/0x000d000000003d5f-143.dat	family_xworm
behavioral1/memory/2888-151-0x0000000000A90000-0x0000000000AF4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Async RAT payload 19 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000018b01-44.dat	asyncrat
behavioral1/files/0x0007000000018b01-43.dat	asyncrat
behavioral1/memory/2652-49-0x0000000000050000-0x000000000029A000-memory.dmp	asyncrat
behavioral1/memory/2312-68-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral1/memory/2312-69-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral1/memory/2312-71-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral1/memory/2312-70-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral1/memory/2312-72-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral1/memory/2312-75-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral1/memory/2312-78-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral1/memory/2312-80-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral1/memory/2312-84-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral1/memory/2312-85-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral1/memory/2312-87-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral1/memory/2312-88-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral1/memory/2312-89-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral1/memory/2312-86-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral1/memory/2312-83-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat
behavioral1/memory/2312-82-0x0000000000400000-0x0000000000692000-memory.dmp	asyncrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk	WindowsSecurity.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk	WindowsSecurity.exe

Executes dropped EXE 8 IoCs

pid	Process
320	tab.exe
2888	Protected.exe
1196	Seting.exe
2900	SecurityHealthSystray.exe
2340	WindowsSecurity.exe
2652	splwow64.exe
2632	WindowsSecurity.exe
2888	WindowsSecurity.exe

Loads dropped DLL 4 IoCs

pid	Process
320	tab.exe
320	tab.exe
320	tab.exe
320	tab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsSecurity = "C:\\ProgramData\\WindowsSecurity.exe"	WindowsSecurity.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1196 set thread context of 2312	1196	Seting.exe	40

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	SecurityHealthSystray.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2116	schtasks.exe
2072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2016	powershell.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
1196	Seting.exe
1196	Seting.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe
2652	splwow64.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2340	WindowsSecurity.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2652	splwow64.exe
Token: SeDebugPrivilege	2652	splwow64.exe
Token: SeDebugPrivilege	1196	Seting.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	2312	RegAsm.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2340	WindowsSecurity.exe
Token: SeDebugPrivilege	2632	WindowsSecurity.exe
Token: SeDebugPrivilege	2888	WindowsSecurity.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2340	WindowsSecurity.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 320	2044	80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21.exe	28
PID 2044 wrote to memory of 320	2044	80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21.exe	28
PID 2044 wrote to memory of 320	2044	80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21.exe	28
PID 2044 wrote to memory of 320	2044	80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21.exe	28
PID 320 wrote to memory of 2016	320	tab.exe	29
PID 320 wrote to memory of 2016	320	tab.exe	29
PID 320 wrote to memory of 2016	320	tab.exe	29
PID 320 wrote to memory of 2016	320	tab.exe	29
PID 320 wrote to memory of 2888	320	tab.exe	31
PID 320 wrote to memory of 2888	320	tab.exe	31
PID 320 wrote to memory of 2888	320	tab.exe	31
PID 320 wrote to memory of 2888	320	tab.exe	31
PID 320 wrote to memory of 1196	320	tab.exe	32
PID 320 wrote to memory of 1196	320	tab.exe	32
PID 320 wrote to memory of 1196	320	tab.exe	32
PID 320 wrote to memory of 1196	320	tab.exe	32
PID 320 wrote to memory of 2900	320	tab.exe	33
PID 320 wrote to memory of 2900	320	tab.exe	33
PID 320 wrote to memory of 2900	320	tab.exe	33
PID 320 wrote to memory of 2900	320	tab.exe	33
PID 320 wrote to memory of 2340	320	tab.exe	35
PID 320 wrote to memory of 2340	320	tab.exe	35
PID 320 wrote to memory of 2340	320	tab.exe	35
PID 320 wrote to memory of 2340	320	tab.exe	35
PID 2888 wrote to memory of 2652	2888	Protected.exe	34
PID 2888 wrote to memory of 2652	2888	Protected.exe	34
PID 2888 wrote to memory of 2652	2888	Protected.exe	34
PID 1196 wrote to memory of 2172	1196	Seting.exe	39
PID 1196 wrote to memory of 2172	1196	Seting.exe	39
PID 1196 wrote to memory of 2172	1196	Seting.exe	39
PID 1196 wrote to memory of 2172	1196	Seting.exe	39
PID 1196 wrote to memory of 2172	1196	Seting.exe	39
PID 1196 wrote to memory of 2172	1196	Seting.exe	39
PID 1196 wrote to memory of 2172	1196	Seting.exe	39
PID 1196 wrote to memory of 2312	1196	Seting.exe	40
PID 1196 wrote to memory of 2312	1196	Seting.exe	40
PID 1196 wrote to memory of 2312	1196	Seting.exe	40
PID 1196 wrote to memory of 2312	1196	Seting.exe	40
PID 1196 wrote to memory of 2312	1196	Seting.exe	40
PID 1196 wrote to memory of 2312	1196	Seting.exe	40
PID 1196 wrote to memory of 2312	1196	Seting.exe	40
PID 1196 wrote to memory of 2312	1196	Seting.exe	40
PID 1196 wrote to memory of 2312	1196	Seting.exe	40
PID 1196 wrote to memory of 2312	1196	Seting.exe	40
PID 1196 wrote to memory of 2312	1196	Seting.exe	40
PID 1196 wrote to memory of 2312	1196	Seting.exe	40
PID 1196 wrote to memory of 2312	1196	Seting.exe	40
PID 1196 wrote to memory of 2312	1196	Seting.exe	40
PID 1196 wrote to memory of 2312	1196	Seting.exe	40
PID 2340 wrote to memory of 632	2340	WindowsSecurity.exe	42
PID 2340 wrote to memory of 632	2340	WindowsSecurity.exe	42
PID 2340 wrote to memory of 632	2340	WindowsSecurity.exe	42
PID 2340 wrote to memory of 856	2340	WindowsSecurity.exe	44
PID 2340 wrote to memory of 856	2340	WindowsSecurity.exe	44
PID 2340 wrote to memory of 856	2340	WindowsSecurity.exe	44
PID 2312 wrote to memory of 1376	2312	RegAsm.exe	45
PID 2312 wrote to memory of 1376	2312	RegAsm.exe	45
PID 2312 wrote to memory of 1376	2312	RegAsm.exe	45
PID 2312 wrote to memory of 1376	2312	RegAsm.exe	45
PID 1376 wrote to memory of 2116	1376	cmd.exe	47
PID 1376 wrote to memory of 2116	1376	cmd.exe	47
PID 1376 wrote to memory of 2116	1376	cmd.exe	47
PID 1376 wrote to memory of 2116	1376	cmd.exe	47
PID 2340 wrote to memory of 1720	2340	WindowsSecurity.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21.exe
"C:\Users\Admin\AppData\Local\Temp\80c91ecaab6a6a6a7a8cb3df47b111f031ea41beab9f8b8386f4c1bc8d18ff21.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\ProgramData\tab.exe
  "C:\ProgramData\tab.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAcQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZgBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAegBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AawBpACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2016
- - C:\Users\Admin\AppData\Roaming\Protected.exe
    "C:\Users\Admin\AppData\Roaming\Protected.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Users\Admin\AppData\Roaming\splwow64.exe
      "C:\Users\Admin\AppData\Roaming\splwow64.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2652
- - C:\Users\Admin\AppData\Roaming\Seting.exe
    "C:\Users\Admin\AppData\Roaming\Seting.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2172
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Seting" /tr '"C:\Users\Admin\AppData\Local\Temp\%Windows%\Seting.exe"' & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1376
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Seting" /tr '"C:\Users\Admin\AppData\Local\Temp\%Windows%\Seting.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:2116
- - C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
    "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2900
- - C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
    "C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSecurity.exe'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1720
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurity" /tr "C:\ProgramData\WindowsSecurity.exe"
      4⤵
      Creates scheduled task(s)
      PID:2072

C:\Windows\system32\taskeng.exe
taskeng.exe {988FAE98-089E-4DF3-8658-CDFA8225A1BC} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
1⤵
PID:2604
- C:\ProgramData\WindowsSecurity.exe
  C:\ProgramData\WindowsSecurity.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\ProgramData\WindowsSecurity.exe
  C:\ProgramData\WindowsSecurity.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsSecurity.exe

Filesize
17KB

MD5
2f59c74465c50116cb97534dbbc099d4

SHA1
6e7524ad6dbdabe8594eb24d77c2c3ded13d6c88

SHA256
a3e2b4423a0e5a9185741cae0fc98504925f92d50569628932c58f5662cdd5c9

SHA512
9691ce9773b43183055a2d8628818caa661197c28e0466e4a4e883ea360d4db666023b41c780e442f608df00b342496534e8ead4b19388bd20a3b85f472447a0

Download Submit
C:\ProgramData\WindowsSecurity.exe

Filesize
257KB

MD5
9ec414592ad6b48b3d0e3644e681cad9

SHA1
7b0c030cc721f211788fac8295a627af3c601550

SHA256
b97f08532bc6d3c0dab53df7d448a6a92fc01ea7ef42ddd1cabb89bde3756b3f

SHA512
e9ab41a521c1536f792bf57af51009268138d15e81320d62c76f4a92c13793025903ba2f98528d02810f8c4b0172d72ec6baa5ddd9c775eb67a17a4ae4d042b2

Download Submit
C:\ProgramData\tab.exe

Filesize
1.5MB

MD5
3c3d74fefc9c2a0a1565ff5b70e3bfc1

SHA1
ef62ba5b6e792eaa19a1219d19bec61258bc31e8

SHA256
0368ceba8676499ecab32bb271776edc2b51936866b8095a499e3737077333f5

SHA512
153e3e8100104b9b097cccad20564bd576490dcd99c47e404a541c4cc189492e84370708bc4de95e22b6675ea55983474fd99752145084175583f4e231c49fcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2TBCVPP0D11WPPE3F108.temp

Filesize
7KB

MD5
b83f0ee7a85dacba03afd58c703c1a2f

SHA1
96d0249f3a75625ca91e191d722d46ba0b0c209d

SHA256
4a6440b906d784113c62bd45f4c13f2a13cf99466d7892013d22fa593d615f20

SHA512
3e6343eeeec794d3b172ebef6456e61152851674a6ccc638b116ac6fb32dc38cf3a6540f28a372b4455a0a42478af24b1aef2e91ca84fdee510803f7aae43fc2

Download Submit
C:\Users\Admin\AppData\Roaming\Protected.exe

Filesize
464KB

MD5
2cb3f939efc83bef7c22c1f3c57b56a9

SHA1
40374b472df7e82f40e49d0498962629fed2e2c8

SHA256
48d03cd1b2edcd4e32800a5de7cd79dcd0bee52ec5df9932f97935f6d622f7bc

SHA512
d5beff43b98c5492b78763516e230d693e7dffc1421c9ae7097092e0d6ad450afacb26d8ff665531ad2f65d012208fb2be9419644055e4b0a6e531dc1b7906e3

Download Submit
C:\Users\Admin\AppData\Roaming\Protected.exe

Filesize
703KB

MD5
16ba75865d34bd19866c12943da93402

SHA1
6c90f1a10f8d7df7c926b2e8ae65b3197038c7c1

SHA256
0354fadc30c53a6da0bcfc2969095e988c7eaf89c7355d814e537c772dca5081

SHA512
42b978ae97479b4bacfd9ffb02831c4751c7c3fc5e014a32274166f31a8a29dcd2fe7948e7b1ac648a587cdf58de6b34cadaa5221a232ffda21aa4a3592ac6da

Download Submit
C:\Users\Admin\AppData\Roaming\Seting.exe

Filesize
501KB

MD5
c9e073fcbd3ea4290d6508134af129b0

SHA1
5d105591582917e5483c99fc3be3de71b58bdeec

SHA256
4650218290ae668de47dd270d8c4933d689e8af54d2fff6097ce870452ad7500

SHA512
b57b888541160b9fd20e39b8c03b01d4bcb93ad85e9f5d762f5292739b315cfd9c379d1b78a643210e8e9c3307b9ff6538576e3ca550ed1f07d731bdb27e6afe

Download Submit
C:\Users\Admin\AppData\Roaming\Seting.exe

Filesize
324KB

MD5
fe3717a932fd1d218cf5f03d69df58aa

SHA1
372b7acc9d25f140b99ea08916c4e1ed56cf0d3d

SHA256
b062e697d759846338715bb15ccb90e3eb61c01ac27010f2a1673c674a9f501e

SHA512
acf924e76bb78a5c3fa2d39f5b1c0c6f31c20589091053502766bb5f93bc09ff2fec8ea89230aeb7248f757c4fa3c6598b0c1fc78e8ceecc734f74b3ed1a0af7

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe

Filesize
375KB

MD5
216ef921adac2bbb51ff6331f61b19e7

SHA1
90c3cfc3b78daa2bfa12d26dbd765fbfd4bc510d

SHA256
5d717d35b913ff6d13c408f294d899ca58bb321598426eca2bea71b9e6edd9ce

SHA512
33b817fe0b8bcca66173dd293de6a4926b5195a990ee575a378eb4c71610dc68bb3e36b70f4498bd8a2fc9d12283b05a8fd296d2108554105f0e49fdb9e89f0c

Download Submit
C:\Users\Admin\AppData\Roaming\splwow64.exe

Filesize
182KB

MD5
d74af452ae344a275458389f4f0538bf

SHA1
6956f23495305ed8d9f550510bc9d29d0e22805b

SHA256
e5da6115c3a6c1ef94b9af227d7f558d819a3ccf94220a89c7a45a426588ae57

SHA512
0e6897767f02dbd9dcd15ba298f401f355a0f068dcd9884999cacbc9da7f17612040b93a56b868f69eaa6231d1bc6ae1019bd023ca71301ddacfaa9c2a7a6e8b

Download Submit
C:\Users\Admin\AppData\Roaming\splwow64.exe

Filesize
223KB

MD5
3ff916794753c4e4927b91e46bd3479d

SHA1
b4e83804eff978aacb6a1e3f4b3305d0f428adb7

SHA256
551f1cc4eeadc9ba5cd0085dc3e56547caad5f561c61681e69356a35b57859b8

SHA512
b39900544764de97091cf70942c45800261d819557e5a4c2974218c91178afa9df6f79c71258fbdc8246cb68bc560f532dccc04e684eb50923479b6db567d4c2

Download Submit
\Users\Admin\AppData\Roaming\Protected.exe

Filesize
707KB

MD5
5542a9d5571e31a12a912d456d25e5f5

SHA1
72ec829a513660a02d56ae294e53bae82c441577

SHA256
eedb0bbcbc4566a1b28b132c50a4bee5ed73d23a63afee9c5a9f1169cab2afa1

SHA512
fff318e572b5ae934c2a1d8274b523749c60dff083aa9a496bfb399324b5b5c2fb93a2fda26b5ab09677ec6bbe3862e36dda8c879196bbdfad1187dcc0df8acb

Download Submit
\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe

Filesize
300KB

MD5
9c19d058a894e35cad64a0dab5f5a56f

SHA1
c41047677b50f5225eea3eb94df73bb99e43e076

SHA256
0e3b7bce0fb97f6860d6dd9142648188dce14573725d400174882e600e64bdbd

SHA512
bdd50eaff1363f253c58e66dace5f2022897bad460617b3aa1b24d4699de674f30ebda926497bf82f6c16c7bff295f54eef984f2c3daa5dcd7099d74eb7f0fbe

Download Submit
\Users\Admin\AppData\Roaming\Seting.exe

Filesize
479KB

MD5
e7157beedeab41327aebc1ac9ef15cae

SHA1
d911f9dfa661406550ec189585fdac9a036bd736

SHA256
01f435a722416dcc051665284867e44346f3b2736b7b4e0734e64c2af311b3b7

SHA512
e055ab68d67ada5fb0613a79abae0cd76ff25bc257e905e992b491702a15de39b6543778ed352f88e6e000ce698e7cc10d880cf0bf88a69ff14588046eec937b

Download Submit
\Users\Admin\AppData\Roaming\WindowsSecurity.exe

Filesize
314KB

MD5
ddb88c45d1eaedc645adf5b365068293

SHA1
585ce0afed5faa4f89294a05ffad08d45f793714

SHA256
eeb9dec97cfd75694faa29c610c324c9ef1526e280702a5807587c9306156870

SHA512
a4e9c4ffb6d407293014ddeb6ab73dc4736ab1754d6d356bd3d3d3586f4cf33d247491a9383ecd58557c08a9f0f554acb066755d92e0cee070075f62802c675b

Download Submit
memory/632-97-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/632-99-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/632-96-0x000007FEEE130000-0x000007FEEEACD000-memory.dmp

Filesize
9.6MB

Download
memory/632-95-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/632-101-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/632-94-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/632-100-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/632-102-0x000007FEEE130000-0x000007FEEEACD000-memory.dmp

Filesize
9.6MB

Download
memory/632-98-0x000007FEEE130000-0x000007FEEEACD000-memory.dmp

Filesize
9.6MB

Download
memory/856-116-0x000007FEED790000-0x000007FEEE12D000-memory.dmp

Filesize
9.6MB

Download
memory/856-114-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/856-108-0x000000001B450000-0x000000001B732000-memory.dmp

Filesize
2.9MB

Download
memory/856-109-0x000007FEED790000-0x000007FEEE12D000-memory.dmp

Filesize
9.6MB

Download
memory/856-110-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/856-112-0x000007FEED790000-0x000007FEEE12D000-memory.dmp

Filesize
9.6MB

Download
memory/856-111-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/856-113-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/856-115-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/1196-58-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

Filesize
256KB

Download
memory/1196-55-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/1196-77-0x00000000739A0000-0x000000007408E000-memory.dmp

Filesize
6.9MB

Download
memory/1196-64-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/1196-53-0x0000000001130000-0x000000000128E000-memory.dmp

Filesize
1.4MB

Download
memory/1720-127-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/1720-122-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/1720-131-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/1720-123-0x000007FEEE130000-0x000007FEEEACD000-memory.dmp

Filesize
9.6MB

Download
memory/1720-125-0x0000000002630000-0x0000000002638000-memory.dmp

Filesize
32KB

Download
memory/1720-124-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/1720-132-0x000007FEEE130000-0x000007FEEEACD000-memory.dmp

Filesize
9.6MB

Download
memory/1720-126-0x000007FEEE130000-0x000007FEEEACD000-memory.dmp

Filesize
9.6MB

Download
memory/1720-128-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/2016-51-0x0000000073010000-0x00000000735BB000-memory.dmp

Filesize
5.7MB

Download
memory/2016-52-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/2016-54-0x0000000073010000-0x00000000735BB000-memory.dmp

Filesize
5.7MB

Download
memory/2016-56-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/2016-57-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/2016-63-0x0000000073010000-0x00000000735BB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-0-0x0000000000320000-0x0000000000ADA000-memory.dmp

Filesize
7.7MB

Download
memory/2044-7-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2044-1-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp

Filesize
9.9MB

Download
memory/2312-72-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2312-67-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2312-75-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2312-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2312-82-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2312-70-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2312-71-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2312-69-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2312-68-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2312-78-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2312-65-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2312-83-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2312-86-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2312-89-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2312-80-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2312-88-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2312-87-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2312-85-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2312-84-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2340-60-0x000000001B570000-0x000000001B5F0000-memory.dmp

Filesize
512KB

Download
memory/2340-129-0x000000001B570000-0x000000001B5F0000-memory.dmp

Filesize
512KB

Download
memory/2340-59-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/2340-39-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/2340-41-0x00000000012D0000-0x0000000001334000-memory.dmp

Filesize
400KB

Download
memory/2632-144-0x00000000008E0000-0x0000000000944000-memory.dmp

Filesize
400KB

Download
memory/2632-146-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/2632-145-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/2652-49-0x0000000000050000-0x000000000029A000-memory.dmp

Filesize
2.3MB

Download
memory/2652-130-0x00000000005C0000-0x0000000000640000-memory.dmp

Filesize
512KB

Download
memory/2652-45-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/2652-62-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/2652-61-0x00000000005C0000-0x0000000000640000-memory.dmp

Filesize
512KB

Download
memory/2888-48-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/2888-21-0x0000000001280000-0x00000000017F4000-memory.dmp

Filesize
5.5MB

Download
memory/2888-20-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/2888-151-0x0000000000A90000-0x0000000000AF4000-memory.dmp

Filesize
400KB

Download
memory/2888-152-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/2888-153-0x000007FEF4AF0000-0x000007FEF54DC000-memory.dmp

Filesize
9.9MB

Download
memory/2900-40-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download