Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-02-2023 22:25
Static task
static1
Behavioral task
behavioral1
Sample
Legion Private Bot.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Legion Private Bot.exe
Resource
win10v2004-20221111-en
General
-
Target
Legion Private Bot.exe
-
Size
640KB
-
MD5
092334866080e7ec50fccc264d869221
-
SHA1
b4b69530c71474507e8ec5a341252e11862986e0
-
SHA256
1080f3cd4328fd1e0597c4aba89bf5004894c938234f2d2ccf282f1416219864
-
SHA512
101eaf97dc6293d7295fccd7883d161c128c780f55d76ba3132685cd92d52d0a417b373d08aa7cdde82f7cf0831776ea959040c7f6fb9568abbf34d365cbc9d9
-
SSDEEP
12288:/QGF2tAu9o+JPYx+5psS5GkwqbT7pllql+WZcYrje23UFDd6S7sQo:/7F2tAu9o+JQ+5psSU12olvraDt7s
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5345460701:AAELDlYM_8yHwfKYHoYl_27JYXLpT-SLsyY/sendMessage?chat_id=689992339
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2008-89-0x0000000000400000-0x0000000000440000-memory.dmp family_stormkitty behavioral1/memory/2008-92-0x0000000000400000-0x0000000000440000-memory.dmp family_stormkitty behavioral1/memory/2008-90-0x0000000000400000-0x0000000000440000-memory.dmp family_stormkitty behavioral1/memory/2008-94-0x000000000043B7EE-mapping.dmp family_stormkitty behavioral1/memory/2008-100-0x0000000000400000-0x0000000000440000-memory.dmp family_stormkitty behavioral1/memory/2008-105-0x0000000000400000-0x0000000000440000-memory.dmp family_stormkitty -
Async RAT payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2008-89-0x0000000000400000-0x0000000000440000-memory.dmp asyncrat behavioral1/memory/2008-92-0x0000000000400000-0x0000000000440000-memory.dmp asyncrat behavioral1/memory/2008-90-0x0000000000400000-0x0000000000440000-memory.dmp asyncrat behavioral1/memory/2008-94-0x000000000043B7EE-mapping.dmp asyncrat behavioral1/memory/2008-100-0x0000000000400000-0x0000000000440000-memory.dmp asyncrat behavioral1/memory/2008-105-0x0000000000400000-0x0000000000440000-memory.dmp asyncrat -
Executes dropped EXE 4 IoCs
Processes:
svc host.exeWindows Security Service.exeWindows Security Service.exesvc host.exepid process 1944 svc host.exe 1820 Windows Security Service.exe 2008 Windows Security Service.exe 1552 svc host.exe -
Loads dropped DLL 2 IoCs
Processes:
Legion Private Bot.exepid process 1144 Legion Private Bot.exe 1144 Legion Private Bot.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
svc host.exeLegion Private Bot.exeWindows Security Service.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\FoGzRNCsHJ = "C:\\Users\\Admin\\AppData\\Roaming\\wDWQzMbHJQ\\xBLQRnSbFD.exe" svc host.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe" Legion Private Bot.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\SoMYYdgGNH = "C:\\Users\\Admin\\AppData\\Roaming\\GxMBKmkSFT\\YdXWJzaKWR.exe" Windows Security Service.exe -
Drops desktop.ini file(s) 8 IoCs
Processes:
Windows Security Service.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\d3a728e7315f1e3ffbac33a8bceb24e4\Admin@GRXNNIIE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Windows Security Service.exe File created C:\Users\Admin\AppData\Local\d3a728e7315f1e3ffbac33a8bceb24e4\Admin@GRXNNIIE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Windows Security Service.exe File opened for modification C:\Users\Admin\AppData\Local\d3a728e7315f1e3ffbac33a8bceb24e4\Admin@GRXNNIIE_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini Windows Security Service.exe File created C:\Users\Admin\AppData\Local\d3a728e7315f1e3ffbac33a8bceb24e4\Admin@GRXNNIIE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Windows Security Service.exe File opened for modification C:\Users\Admin\AppData\Local\d3a728e7315f1e3ffbac33a8bceb24e4\Admin@GRXNNIIE_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini Windows Security Service.exe File created C:\Users\Admin\AppData\Local\d3a728e7315f1e3ffbac33a8bceb24e4\Admin@GRXNNIIE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Windows Security Service.exe File opened for modification C:\Users\Admin\AppData\Local\d3a728e7315f1e3ffbac33a8bceb24e4\Admin@GRXNNIIE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini Windows Security Service.exe File created C:\Users\Admin\AppData\Local\d3a728e7315f1e3ffbac33a8bceb24e4\Admin@GRXNNIIE_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini Windows Security Service.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
Legion Private Bot.exeWindows Security Service.exesvc host.exedescription pid process target process PID 1604 set thread context of 1144 1604 Legion Private Bot.exe Legion Private Bot.exe PID 1820 set thread context of 2008 1820 Windows Security Service.exe Windows Security Service.exe PID 1944 set thread context of 1552 1944 svc host.exe svc host.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Windows Security Service.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Windows Security Service.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Windows Security Service.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
Windows Security Service.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 Windows Security Service.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 Windows Security Service.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
Processes:
Windows Security Service.exepid process 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe 2008 Windows Security Service.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Windows Security Service.exedescription pid process Token: SeDebugPrivilege 2008 Windows Security Service.exe Token: SeDebugPrivilege 2008 Windows Security Service.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Legion Private Bot.exeLegion Private Bot.exeWindows Security Service.exesvc host.exeWindows Security Service.execmd.execmd.exedescription pid process target process PID 1604 wrote to memory of 1144 1604 Legion Private Bot.exe Legion Private Bot.exe PID 1604 wrote to memory of 1144 1604 Legion Private Bot.exe Legion Private Bot.exe PID 1604 wrote to memory of 1144 1604 Legion Private Bot.exe Legion Private Bot.exe PID 1604 wrote to memory of 1144 1604 Legion Private Bot.exe Legion Private Bot.exe PID 1604 wrote to memory of 1144 1604 Legion Private Bot.exe Legion Private Bot.exe PID 1604 wrote to memory of 1144 1604 Legion Private Bot.exe Legion Private Bot.exe PID 1604 wrote to memory of 1144 1604 Legion Private Bot.exe Legion Private Bot.exe PID 1604 wrote to memory of 1144 1604 Legion Private Bot.exe Legion Private Bot.exe PID 1604 wrote to memory of 1144 1604 Legion Private Bot.exe Legion Private Bot.exe PID 1144 wrote to memory of 1944 1144 Legion Private Bot.exe svc host.exe PID 1144 wrote to memory of 1944 1144 Legion Private Bot.exe svc host.exe PID 1144 wrote to memory of 1944 1144 Legion Private Bot.exe svc host.exe PID 1144 wrote to memory of 1944 1144 Legion Private Bot.exe svc host.exe PID 1144 wrote to memory of 1820 1144 Legion Private Bot.exe Windows Security Service.exe PID 1144 wrote to memory of 1820 1144 Legion Private Bot.exe Windows Security Service.exe PID 1144 wrote to memory of 1820 1144 Legion Private Bot.exe Windows Security Service.exe PID 1144 wrote to memory of 1820 1144 Legion Private Bot.exe Windows Security Service.exe PID 1820 wrote to memory of 2008 1820 Windows Security Service.exe Windows Security Service.exe PID 1820 wrote to memory of 2008 1820 Windows Security Service.exe Windows Security Service.exe PID 1820 wrote to memory of 2008 1820 Windows Security Service.exe Windows Security Service.exe PID 1820 wrote to memory of 2008 1820 Windows Security Service.exe Windows Security Service.exe PID 1944 wrote to memory of 1552 1944 svc host.exe svc host.exe PID 1944 wrote to memory of 1552 1944 svc host.exe svc host.exe PID 1944 wrote to memory of 1552 1944 svc host.exe svc host.exe PID 1944 wrote to memory of 1552 1944 svc host.exe svc host.exe PID 1820 wrote to memory of 2008 1820 Windows Security Service.exe Windows Security Service.exe PID 1944 wrote to memory of 1552 1944 svc host.exe svc host.exe PID 1820 wrote to memory of 2008 1820 Windows Security Service.exe Windows Security Service.exe PID 1820 wrote to memory of 2008 1820 Windows Security Service.exe Windows Security Service.exe PID 1944 wrote to memory of 1552 1944 svc host.exe svc host.exe PID 1820 wrote to memory of 2008 1820 Windows Security Service.exe Windows Security Service.exe PID 1820 wrote to memory of 2008 1820 Windows Security Service.exe Windows Security Service.exe PID 1944 wrote to memory of 1552 1944 svc host.exe svc host.exe PID 1944 wrote to memory of 1552 1944 svc host.exe svc host.exe PID 1944 wrote to memory of 1552 1944 svc host.exe svc host.exe PID 2008 wrote to memory of 1248 2008 Windows Security Service.exe cmd.exe PID 2008 wrote to memory of 1248 2008 Windows Security Service.exe cmd.exe PID 2008 wrote to memory of 1248 2008 Windows Security Service.exe cmd.exe PID 2008 wrote to memory of 1248 2008 Windows Security Service.exe cmd.exe PID 1248 wrote to memory of 1280 1248 cmd.exe chcp.com PID 1248 wrote to memory of 1280 1248 cmd.exe chcp.com PID 1248 wrote to memory of 1280 1248 cmd.exe chcp.com PID 1248 wrote to memory of 1280 1248 cmd.exe chcp.com PID 1248 wrote to memory of 952 1248 cmd.exe netsh.exe PID 1248 wrote to memory of 952 1248 cmd.exe netsh.exe PID 1248 wrote to memory of 952 1248 cmd.exe netsh.exe PID 1248 wrote to memory of 952 1248 cmd.exe netsh.exe PID 1248 wrote to memory of 1496 1248 cmd.exe findstr.exe PID 1248 wrote to memory of 1496 1248 cmd.exe findstr.exe PID 1248 wrote to memory of 1496 1248 cmd.exe findstr.exe PID 1248 wrote to memory of 1496 1248 cmd.exe findstr.exe PID 2008 wrote to memory of 900 2008 Windows Security Service.exe cmd.exe PID 2008 wrote to memory of 900 2008 Windows Security Service.exe cmd.exe PID 2008 wrote to memory of 900 2008 Windows Security Service.exe cmd.exe PID 2008 wrote to memory of 900 2008 Windows Security Service.exe cmd.exe PID 900 wrote to memory of 1520 900 cmd.exe chcp.com PID 900 wrote to memory of 1520 900 cmd.exe chcp.com PID 900 wrote to memory of 1520 900 cmd.exe chcp.com PID 900 wrote to memory of 1520 900 cmd.exe chcp.com PID 900 wrote to memory of 1912 900 cmd.exe netsh.exe PID 900 wrote to memory of 1912 900 cmd.exe netsh.exe PID 900 wrote to memory of 1912 900 cmd.exe netsh.exe PID 900 wrote to memory of 1912 900 cmd.exe netsh.exe PID 2008 wrote to memory of 1796 2008 Windows Security Service.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Legion Private Bot.exe"C:\Users\Admin\AppData\Local\Temp\Legion Private Bot.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Legion Private Bot.exe"C:\Users\Admin\AppData\Local\Temp\Legion Private Bot.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svc host.exe"C:\Users\Admin\AppData\Roaming\svc host.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svc host.exe"C:\Users\Admin\AppData\Roaming\svc host.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile6⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All6⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid6⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Windows Security Service.exe"5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exeFilesize
297KB
MD546f8b83424bbee8da5fd4f604ff0d980
SHA170bb6632cdafd5d2b1d12017be7573f997782ddd
SHA256618abb7d696e6545bf5c13f03a45faf1e5c3a15ecbedd0bf59096a62c6c94c9a
SHA512898390de451b8e6b691df6e7fbc3ccfbfd030da7ba6b436bf4a8fe0ebe20f8a2914b346f5775fe9ea7bed6d350f4f66adb6106cf83d22c4116bac384e02fb03c
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exeFilesize
297KB
MD546f8b83424bbee8da5fd4f604ff0d980
SHA170bb6632cdafd5d2b1d12017be7573f997782ddd
SHA256618abb7d696e6545bf5c13f03a45faf1e5c3a15ecbedd0bf59096a62c6c94c9a
SHA512898390de451b8e6b691df6e7fbc3ccfbfd030da7ba6b436bf4a8fe0ebe20f8a2914b346f5775fe9ea7bed6d350f4f66adb6106cf83d22c4116bac384e02fb03c
-
C:\Users\Admin\AppData\Roaming\Windows Security Service.exeFilesize
297KB
MD546f8b83424bbee8da5fd4f604ff0d980
SHA170bb6632cdafd5d2b1d12017be7573f997782ddd
SHA256618abb7d696e6545bf5c13f03a45faf1e5c3a15ecbedd0bf59096a62c6c94c9a
SHA512898390de451b8e6b691df6e7fbc3ccfbfd030da7ba6b436bf4a8fe0ebe20f8a2914b346f5775fe9ea7bed6d350f4f66adb6106cf83d22c4116bac384e02fb03c
-
C:\Users\Admin\AppData\Roaming\svc host.exeFilesize
140KB
MD5397638390e9c49c10200a5cbd7a9ec7f
SHA1e763d4cf6f005eac4fa683647d33ff9989069a90
SHA2560b6a4f044f5e73cea182b412fe01dd6b93b959c29c477bb729facc9d6f648c0f
SHA51211e1d3ddc3bc932e39462cf8c5f5f876edcdb609a29913c0d7775a9130e0634836aa1f0d5bc1fe66c4b0c8ceda429a135d3ded37ecb9fc8f36fe0a37b5b34701
-
C:\Users\Admin\AppData\Roaming\svc host.exeFilesize
140KB
MD5397638390e9c49c10200a5cbd7a9ec7f
SHA1e763d4cf6f005eac4fa683647d33ff9989069a90
SHA2560b6a4f044f5e73cea182b412fe01dd6b93b959c29c477bb729facc9d6f648c0f
SHA51211e1d3ddc3bc932e39462cf8c5f5f876edcdb609a29913c0d7775a9130e0634836aa1f0d5bc1fe66c4b0c8ceda429a135d3ded37ecb9fc8f36fe0a37b5b34701
-
C:\Users\Admin\AppData\Roaming\svc host.exeFilesize
140KB
MD5397638390e9c49c10200a5cbd7a9ec7f
SHA1e763d4cf6f005eac4fa683647d33ff9989069a90
SHA2560b6a4f044f5e73cea182b412fe01dd6b93b959c29c477bb729facc9d6f648c0f
SHA51211e1d3ddc3bc932e39462cf8c5f5f876edcdb609a29913c0d7775a9130e0634836aa1f0d5bc1fe66c4b0c8ceda429a135d3ded37ecb9fc8f36fe0a37b5b34701
-
\Users\Admin\AppData\Roaming\Windows Security Service.exeFilesize
297KB
MD546f8b83424bbee8da5fd4f604ff0d980
SHA170bb6632cdafd5d2b1d12017be7573f997782ddd
SHA256618abb7d696e6545bf5c13f03a45faf1e5c3a15ecbedd0bf59096a62c6c94c9a
SHA512898390de451b8e6b691df6e7fbc3ccfbfd030da7ba6b436bf4a8fe0ebe20f8a2914b346f5775fe9ea7bed6d350f4f66adb6106cf83d22c4116bac384e02fb03c
-
\Users\Admin\AppData\Roaming\svc host.exeFilesize
140KB
MD5397638390e9c49c10200a5cbd7a9ec7f
SHA1e763d4cf6f005eac4fa683647d33ff9989069a90
SHA2560b6a4f044f5e73cea182b412fe01dd6b93b959c29c477bb729facc9d6f648c0f
SHA51211e1d3ddc3bc932e39462cf8c5f5f876edcdb609a29913c0d7775a9130e0634836aa1f0d5bc1fe66c4b0c8ceda429a135d3ded37ecb9fc8f36fe0a37b5b34701
-
memory/900-116-0x0000000000000000-mapping.dmp
-
memory/952-113-0x0000000000000000-mapping.dmp
-
memory/1144-60-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1144-69-0x00000000003B0000-0x00000000003B8000-memory.dmpFilesize
32KB
-
memory/1144-68-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1144-62-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1144-66-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1144-64-0x0000000000471B5E-mapping.dmp
-
memory/1144-63-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1144-58-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1144-57-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1248-111-0x0000000000000000-mapping.dmp
-
memory/1280-112-0x0000000000000000-mapping.dmp
-
memory/1496-114-0x0000000000000000-mapping.dmp
-
memory/1520-117-0x0000000000000000-mapping.dmp
-
memory/1552-86-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1552-104-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1552-91-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1552-95-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1552-85-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1552-99-0x0000000000403C6E-mapping.dmp
-
memory/1552-97-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1552-107-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1604-55-0x0000000076DC1000-0x0000000076DC3000-memory.dmpFilesize
8KB
-
memory/1604-56-0x0000000000550000-0x000000000055A000-memory.dmpFilesize
40KB
-
memory/1604-54-0x0000000001090000-0x0000000001136000-memory.dmpFilesize
664KB
-
memory/1796-121-0x0000000000000000-mapping.dmp
-
memory/1820-76-0x0000000000000000-mapping.dmp
-
memory/1820-80-0x0000000000FF0000-0x0000000001042000-memory.dmpFilesize
328KB
-
memory/1912-118-0x0000000000000000-mapping.dmp
-
memory/1944-72-0x0000000000000000-mapping.dmp
-
memory/1944-77-0x0000000000340000-0x000000000036A000-memory.dmpFilesize
168KB
-
memory/2008-90-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2008-110-0x0000000004A35000-0x0000000004A46000-memory.dmpFilesize
68KB
-
memory/2008-105-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2008-94-0x000000000043B7EE-mapping.dmp
-
memory/2008-100-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2008-92-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2008-89-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2008-83-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2008-120-0x0000000004A35000-0x0000000004A46000-memory.dmpFilesize
68KB
-
memory/2008-84-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB