Analysis
-
max time kernel
150s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-09-2022 14:59
Static task
static1
Behavioral task
behavioral1
Sample
Takeaway.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Takeaway.exe
Resource
win10v2004-20220812-en
General
-
Target
Takeaway.exe
-
Size
380KB
-
MD5
a1ef511c6b47307948465fe6e1af6997
-
SHA1
103f8cc1af6581b4be3f606fd86940d632a450d1
-
SHA256
dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584
-
SHA512
8cc28fc5e1e3e000e977f2f55fa9cf938dd29346e656d013c9ac126572d6eab469b3c3cac9d83683e37c3a220d1a12b22abb0d388483eab07a3ed92965be6821
-
SSDEEP
6144:QsCwu+mWhJifvtNP/7YXSLB80PqO/PhR3p0Ov6Po5/RrVqB8hgh6mTi:NxmIJQvPkitEqZR3p0u6+URTi
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
GetDecoding@zimbabwe.su
getdecoding@msgsafe.io
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
NS2.exewinhost.exepid process 284 NS2.exe 1856 winhost.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
winhost.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ResolveConvertFrom.tiff winhost.exe -
Deletes itself 1 IoCs
Processes:
winhost.exepid process 1856 winhost.exe -
Drops startup file 5 IoCs
Processes:
winhost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini winhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta winhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe winhost.exe -
Loads dropped DLL 4 IoCs
Processes:
powershell.exepid process 1040 powershell.exe 1040 powershell.exe 1040 powershell.exe 1040 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
winhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winhost.exe = "C:\\Windows\\System32\\winhost.exe" winhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" winhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" winhost.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
winhost.exedescription ioc process File opened for modification C:\Users\Admin\Videos\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P35Q2WMD\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O0UAU3O6\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini winhost.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FIOPHPFJ\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini winhost.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini winhost.exe File opened for modification C:\Users\Public\Videos\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AA1AI21V\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Links\desktop.ini winhost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini winhost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini winhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini winhost.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini winhost.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini winhost.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\9W0XRO68\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini winhost.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini winhost.exe File opened for modification C:\Program Files\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1FJGZ2IT\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini winhost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini winhost.exe File opened for modification C:\Users\Public\Music\desktop.ini winhost.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini winhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini winhost.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini winhost.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\desktop.ini winhost.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini winhost.exe File opened for modification C:\Users\Public\desktop.ini winhost.exe -
Drops file in System32 directory 2 IoCs
Processes:
winhost.exedescription ioc process File created C:\Windows\System32\winhost.exe winhost.exe File created C:\Windows\System32\Info.hta winhost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
winhost.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-threaddump.jar.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\GRAY.pf.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libedummy_plugin.dll winhost.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_ca.dll winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_left_over.gif.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\lt.pak.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Almaty.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl.css.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\gadget.xml winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher_1.3.0.v20140415-2008.jar.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152704.WMF.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Windows Journal\fr-FR\MSPVWCTL.DLL.mui winhost.exe File opened for modification C:\Program Files\Windows Sidebar\es-ES\sbdrop.dll.mui winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+11.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\icudtl.dat.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kamchatka winhost.exe File opened for modification C:\Program Files\Java\jre7\lib\plugin.jar.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01172_.WMF winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02055_.GIF winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll winhost.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png winhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FPLACE.DLL winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OneNoteSyncPCIntl.dll.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MAPISHELL.DLL winhost.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\WordpadFilter.dll winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\REPTWIZ.POC.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe winhost.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\FPEXT.MSG.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Custom.propdesc.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\SUBMIT.JS winhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\setup.swf winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Form.zip.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\flyout.html winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099172.WMF winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR49B.GIF.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\TRANSMRR.DLL winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSAEXP30.DLL.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe winhost.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\sentinel winhost.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\PIXEL.ELM.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml winhost.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXPSRV.DLL.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\OFFICE10.MMW.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialReport.dotx winhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLPERF.INI.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\TAB_OFF.GIF.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SPANISH.LNG.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\logo.png winhost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185774.WMF.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21503_.GIF.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Internet Explorer\JSProfilerCore.dll winhost.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237336.WMF.id-D3DD0F94.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR28F.GIF winhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1948 vssadmin.exe 1956 vssadmin.exe 1388 vssadmin.exe -
Processes:
mshta.exemshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exewinhost.exepid process 1040 powershell.exe 1040 powershell.exe 1040 powershell.exe 816 powershell.exe 1040 powershell.exe 1040 powershell.exe 1856 winhost.exe 1856 winhost.exe 1856 winhost.exe 1040 powershell.exe 1040 powershell.exe 1040 powershell.exe 1040 powershell.exe 1040 powershell.exe 1040 powershell.exe 1040 powershell.exe 1040 powershell.exe 1040 powershell.exe 1856 winhost.exe 1856 winhost.exe 1040 powershell.exe 1040 powershell.exe 1040 powershell.exe 1856 winhost.exe 1856 winhost.exe 1040 powershell.exe 1040 powershell.exe 1040 powershell.exe 1856 winhost.exe 1040 powershell.exe 1040 powershell.exe 1040 powershell.exe 1856 winhost.exe 1856 winhost.exe 1040 powershell.exe 1040 powershell.exe 1040 powershell.exe 1856 winhost.exe 1040 powershell.exe 1040 powershell.exe 1040 powershell.exe 1856 winhost.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe 816 powershell.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
powershell.exepowershell.exevssvc.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 1040 powershell.exe Token: SeDebugPrivilege 816 powershell.exe Token: SeBackupPrivilege 2040 vssvc.exe Token: SeRestorePrivilege 2040 vssvc.exe Token: SeAuditPrivilege 2040 vssvc.exe Token: SeIncBasePriorityPrivilege 1040 powershell.exe Token: SeDebugPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeSecurityPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeSecurityPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeSecurityPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeSecurityPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeSecurityPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeSecurityPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeSecurityPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeSecurityPrivilege 1280 powershell.exe Token: SeSecurityPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeSecurityPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeSecurityPrivilege 1280 powershell.exe Token: SeBackupPrivilege 1280 powershell.exe Token: SeBackupPrivilege 940 vssvc.exe Token: SeRestorePrivilege 940 vssvc.exe Token: SeAuditPrivilege 940 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Takeaway.exepowershell.execsc.exewinhost.execmd.exeNS2.exepowershell.execmd.exedescription pid process target process PID 900 wrote to memory of 1040 900 Takeaway.exe powershell.exe PID 900 wrote to memory of 1040 900 Takeaway.exe powershell.exe PID 900 wrote to memory of 1040 900 Takeaway.exe powershell.exe PID 900 wrote to memory of 1040 900 Takeaway.exe powershell.exe PID 1040 wrote to memory of 268 1040 powershell.exe csc.exe PID 1040 wrote to memory of 268 1040 powershell.exe csc.exe PID 1040 wrote to memory of 268 1040 powershell.exe csc.exe PID 1040 wrote to memory of 268 1040 powershell.exe csc.exe PID 268 wrote to memory of 904 268 csc.exe cvtres.exe PID 268 wrote to memory of 904 268 csc.exe cvtres.exe PID 268 wrote to memory of 904 268 csc.exe cvtres.exe PID 268 wrote to memory of 904 268 csc.exe cvtres.exe PID 1040 wrote to memory of 816 1040 powershell.exe powershell.exe PID 1040 wrote to memory of 816 1040 powershell.exe powershell.exe PID 1040 wrote to memory of 816 1040 powershell.exe powershell.exe PID 1040 wrote to memory of 816 1040 powershell.exe powershell.exe PID 1040 wrote to memory of 284 1040 powershell.exe NS2.exe PID 1040 wrote to memory of 284 1040 powershell.exe NS2.exe PID 1040 wrote to memory of 284 1040 powershell.exe NS2.exe PID 1040 wrote to memory of 284 1040 powershell.exe NS2.exe PID 1040 wrote to memory of 1856 1040 powershell.exe winhost.exe PID 1040 wrote to memory of 1856 1040 powershell.exe winhost.exe PID 1040 wrote to memory of 1856 1040 powershell.exe winhost.exe PID 1040 wrote to memory of 1856 1040 powershell.exe winhost.exe PID 1856 wrote to memory of 1944 1856 winhost.exe cmd.exe PID 1856 wrote to memory of 1944 1856 winhost.exe cmd.exe PID 1856 wrote to memory of 1944 1856 winhost.exe cmd.exe PID 1856 wrote to memory of 1944 1856 winhost.exe cmd.exe PID 1944 wrote to memory of 1780 1944 cmd.exe mode.com PID 1944 wrote to memory of 1780 1944 cmd.exe mode.com PID 1944 wrote to memory of 1780 1944 cmd.exe mode.com PID 1944 wrote to memory of 1948 1944 cmd.exe vssadmin.exe PID 1944 wrote to memory of 1948 1944 cmd.exe vssadmin.exe PID 1944 wrote to memory of 1948 1944 cmd.exe vssadmin.exe PID 284 wrote to memory of 1536 284 NS2.exe cmd.exe PID 284 wrote to memory of 1536 284 NS2.exe cmd.exe PID 284 wrote to memory of 1536 284 NS2.exe cmd.exe PID 284 wrote to memory of 1536 284 NS2.exe cmd.exe PID 816 wrote to memory of 1956 816 powershell.exe vssadmin.exe PID 816 wrote to memory of 1956 816 powershell.exe vssadmin.exe PID 816 wrote to memory of 1956 816 powershell.exe vssadmin.exe PID 816 wrote to memory of 1956 816 powershell.exe vssadmin.exe PID 816 wrote to memory of 1280 816 powershell.exe powershell.exe PID 816 wrote to memory of 1280 816 powershell.exe powershell.exe PID 816 wrote to memory of 1280 816 powershell.exe powershell.exe PID 816 wrote to memory of 1280 816 powershell.exe powershell.exe PID 1856 wrote to memory of 1988 1856 winhost.exe cmd.exe PID 1856 wrote to memory of 1988 1856 winhost.exe cmd.exe PID 1856 wrote to memory of 1988 1856 winhost.exe cmd.exe PID 1856 wrote to memory of 1988 1856 winhost.exe cmd.exe PID 1856 wrote to memory of 688 1856 winhost.exe mshta.exe PID 1856 wrote to memory of 688 1856 winhost.exe mshta.exe PID 1856 wrote to memory of 688 1856 winhost.exe mshta.exe PID 1856 wrote to memory of 688 1856 winhost.exe mshta.exe PID 1856 wrote to memory of 1936 1856 winhost.exe mshta.exe PID 1856 wrote to memory of 1936 1856 winhost.exe mshta.exe PID 1856 wrote to memory of 1936 1856 winhost.exe mshta.exe PID 1856 wrote to memory of 1936 1856 winhost.exe mshta.exe PID 1988 wrote to memory of 1636 1988 cmd.exe mode.com PID 1988 wrote to memory of 1636 1988 cmd.exe mode.com PID 1988 wrote to memory of 1636 1988 cmd.exe mode.com PID 1988 wrote to memory of 1388 1988 cmd.exe vssadmin.exe PID 1988 wrote to memory of 1388 1988 cmd.exe vssadmin.exe PID 1988 wrote to memory of 1388 1988 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Takeaway.exe"C:\Users\Admin\AppData\Local\Temp\Takeaway.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -noLogo -noProfile -File takeaway.ps1 winhost2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ikqoqosy.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E32.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4E21.tmp"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File purgeMemory.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exe"C:\Windows\system32\vssadmin.exe" delete shadows /all4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\NS2.exe"C:\Users\Admin\AppData\Local\Temp\NS2.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Users\Admin\AppData\Local\Temp\winhost.exe"C:\Users\Admin\AppData\Local\Temp\winhost.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12515⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12515⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵
- Modifies Internet Explorer settings
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaFilesize
7KB
MD54686c2796b69ec9b1cb36ded2b53dc6e
SHA133f8bc3ac98bb2579d7e4b5e1967ac2ad4e5bd95
SHA256692b414708a7e26858b7bfe867a2de5c4fdf7a9c0eb2924cc7a93c0c37e8a4d2
SHA512cd1ffa9055f7e13c2942a494d90014c5e8f20b51ecce9952fed7433b32e317cc9eea951ca8026a0a4bbf6b57bffc7b33f9fde76e21f643e79d8f8c025e984092
-
C:\Users\Admin\AppData\Local\Temp\NS2.exeFilesize
125KB
MD5597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
C:\Users\Admin\AppData\Local\Temp\NS2.exeFilesize
125KB
MD5597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
C:\Users\Admin\AppData\Local\Temp\RES4E32.tmpFilesize
1KB
MD5e0279d35563648ab6d2ec67f77e51444
SHA11ee76363f60249bace03ddec3dbb626c788f9e3d
SHA25607631ee8aa84c969ceaf625a57709ebaf10e624530c379fdf9968471facbd0b6
SHA51263a91825823f9404818c286c16720f91a4bdb4ce6b3cfee9a22b2ac6e0a158e1f742fa81f15a4ac81d25a8983c59a7fa41e3b4b15001d918c1eafaa92ed6cd9d
-
C:\Users\Admin\AppData\Local\Temp\ikqoqosy.dllFilesize
3KB
MD5620e25f6587c20eea8487651039a6f70
SHA1b23c9fb64a847976d9fdeafc18c2ea95a5bdcbcb
SHA256828d55775a153df070bc6cc50cbc176e7711bb850d651678f357133e97c921ea
SHA512d9f295792e7b1ae3579cd865a731e0c55ce64225f379d0bc46cd0f3a6019444a72137067ba9b938c0bf4d196cfd36e310dee1a5a7a040e00e82016f572bd54f4
-
C:\Users\Admin\AppData\Local\Temp\ikqoqosy.pdbFilesize
7KB
MD59a0e6715ff4eb091ffac33f166932504
SHA1d2df5dbe1152e19d15179810ccf6370e3cf70886
SHA25674e8efbb74eb6469f1486c1bdd5c7640cd5b5041e7d53aae4493132f2f180b83
SHA512bb0397e55480c0038a6bdb6f3e5d12ef3c561ce54f6319ac7d9f3dc26f202895db04964ba397b25b48e5b2dd20313519eb9c7c024512b42e074faa0fab340279
-
C:\Users\Admin\AppData\Local\Temp\purgeMemory.ps1Filesize
8KB
MD531e22820cba11f6c7670854ed65f09ed
SHA19ab447c539234e75b56b3e180f3541580ffa0cea
SHA2566a808299703119635c68fcadb14b7301775b49eb5948aeb319b6728f1686f035
SHA512fbc97b21f9627687070edf9727f68062e8d5d71447497a0a0bd63bbe2ea3b0e753849226cb4cd9688f838e103e348dc070dc8360937e2662ff23291c4b2910fe
-
C:\Users\Admin\AppData\Local\Temp\takeaway.ps1Filesize
3KB
MD508c0963ddf483e5c233026380de1b6d0
SHA11e3a06d038a48c76a6ad0c400cf145109e7179b7
SHA256488590a74e0ab3e1a8942146d3b0f1ce1c0a0841fede177406635bb68cc7ba59
SHA512a73d58c5881468d504dc67b6ff1830d2147394717ef3ed8dd8489ae060d1d3a12eac7c500d7d5f0f915e6497a19f43c08ada089f5b9855f34a99898fc772317f
-
C:\Users\Admin\AppData\Local\Temp\winhost.exeFilesize
92KB
MD5c24f6144e905b717a372c529d969611e
SHA10a297e9e5c807c06ad10f4f746f4f9e256df6743
SHA25694ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6
SHA512f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f
-
C:\Users\Admin\AppData\Local\Temp\winhost.exeFilesize
92KB
MD5c24f6144e905b717a372c529d969611e
SHA10a297e9e5c807c06ad10f4f746f4f9e256df6743
SHA25694ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6
SHA512f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a704158a5b512c949effb9575de6db33
SHA1e5679e7bef17211911823a199f73d655b94fea2c
SHA2560dde3aa2fbc9500bc3acc2133e2bffc8875431782ea15b0be536f4b2c2340a52
SHA512525bb74701aaeb876a74998dbad422f5cf299a70fd08b09458a2a4d714ab05806ed9be918b67ed0783724ee6bc67d90048f2f7a945b1a0e1b1b80a321ccfdde6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a704158a5b512c949effb9575de6db33
SHA1e5679e7bef17211911823a199f73d655b94fea2c
SHA2560dde3aa2fbc9500bc3acc2133e2bffc8875431782ea15b0be536f4b2c2340a52
SHA512525bb74701aaeb876a74998dbad422f5cf299a70fd08b09458a2a4d714ab05806ed9be918b67ed0783724ee6bc67d90048f2f7a945b1a0e1b1b80a321ccfdde6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaFilesize
7KB
MD54686c2796b69ec9b1cb36ded2b53dc6e
SHA133f8bc3ac98bb2579d7e4b5e1967ac2ad4e5bd95
SHA256692b414708a7e26858b7bfe867a2de5c4fdf7a9c0eb2924cc7a93c0c37e8a4d2
SHA512cd1ffa9055f7e13c2942a494d90014c5e8f20b51ecce9952fed7433b32e317cc9eea951ca8026a0a4bbf6b57bffc7b33f9fde76e21f643e79d8f8c025e984092
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC4E21.tmpFilesize
652B
MD5c4c75fcb0a80c59e2e715da2a3543a2b
SHA18d2234467d5376e0c93d88545c3fa6f7c9eb5b3a
SHA256b1b4dc15a8c68b5a82fa6c98acb553809b76aff0b57ea0a67dc53efe1b37f395
SHA512ee8bcf5482baf0b9b681693b4054640e9cd1e5eaf50cbd50f89556ece864575ca43107f19a01992672e4ec4594cd17c37f62bf3eae6ee5e5270d3be2d008a0d7
-
\??\c:\Users\Admin\AppData\Local\Temp\ikqoqosy.0.csFilesize
308B
MD59c478287d8b4ad6cd34ac20bdac9577c
SHA173965974950d1be20682abc2f716e5070f2c7097
SHA2568bb1e373d78c7c750ac20b5b0ec3dfcd1e8e74ca8d6accde1e02aa2c205c776f
SHA512b0c435e194b5a72c50ddccf2bc84d178e5e1872f4ed3f630a661d187f77f4eb095a08303e4d243c45384a84b717fd2d5c76c5c4274cade5ad1a09dcdcd4ca6a2
-
\??\c:\Users\Admin\AppData\Local\Temp\ikqoqosy.cmdlineFilesize
309B
MD5c971081d16680aa9c7afd7ccde52c206
SHA1fc59f1e2de68a1c1214ec124302988c24f1e28ce
SHA2561ed6d1359ef267ca07c0e2ef3ca7fc78aead91d2efaf95ddd98238415e31749d
SHA5128b5b4f16a012d227ccab024d76a158b5f94e479796858a7c6a99ce35c3a4950c3c6c70f81da3d76acdc67db662dd93c1277e618410c5af5bf3381a5816b2b17c
-
\Users\Admin\AppData\Local\Temp\NS2.exeFilesize
125KB
MD5597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
\Users\Admin\AppData\Local\Temp\NS2.exeFilesize
125KB
MD5597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
\Users\Admin\AppData\Local\Temp\winhost.exeFilesize
92KB
MD5c24f6144e905b717a372c529d969611e
SHA10a297e9e5c807c06ad10f4f746f4f9e256df6743
SHA25694ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6
SHA512f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f
-
\Users\Admin\AppData\Local\Temp\winhost.exeFilesize
92KB
MD5c24f6144e905b717a372c529d969611e
SHA10a297e9e5c807c06ad10f4f746f4f9e256df6743
SHA25694ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6
SHA512f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f
-
memory/268-59-0x0000000000000000-mapping.dmp
-
memory/284-73-0x0000000000000000-mapping.dmp
-
memory/688-99-0x0000000000000000-mapping.dmp
-
memory/816-78-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB
-
memory/816-67-0x0000000000000000-mapping.dmp
-
memory/816-96-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB
-
memory/816-93-0x00000000024D0000-0x000000000311A000-memory.dmpFilesize
12.3MB
-
memory/816-89-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB
-
memory/900-54-0x0000000075C61000-0x0000000075C63000-memory.dmpFilesize
8KB
-
memory/904-62-0x0000000000000000-mapping.dmp
-
memory/1040-57-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB
-
memory/1040-55-0x0000000000000000-mapping.dmp
-
memory/1040-88-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB
-
memory/1280-90-0x0000000000000000-mapping.dmp
-
memory/1280-94-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB
-
memory/1280-95-0x0000000074830000-0x0000000074DDB000-memory.dmpFilesize
5.7MB
-
memory/1388-102-0x0000000000000000-mapping.dmp
-
memory/1536-86-0x0000000000000000-mapping.dmp
-
memory/1636-101-0x0000000000000000-mapping.dmp
-
memory/1780-84-0x0000000000000000-mapping.dmp
-
memory/1856-80-0x0000000000000000-mapping.dmp
-
memory/1936-100-0x0000000000000000-mapping.dmp
-
memory/1944-83-0x0000000000000000-mapping.dmp
-
memory/1948-85-0x0000000000000000-mapping.dmp
-
memory/1956-87-0x0000000000000000-mapping.dmp
-
memory/1988-98-0x0000000000000000-mapping.dmp