Analysis
-
max time kernel
151s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2022 14:59
Static task
static1
Behavioral task
behavioral1
Sample
Takeaway.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Takeaway.exe
Resource
win10v2004-20220812-en
General
-
Target
Takeaway.exe
-
Size
380KB
-
MD5
a1ef511c6b47307948465fe6e1af6997
-
SHA1
103f8cc1af6581b4be3f606fd86940d632a450d1
-
SHA256
dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584
-
SHA512
8cc28fc5e1e3e000e977f2f55fa9cf938dd29346e656d013c9ac126572d6eab469b3c3cac9d83683e37c3a220d1a12b22abb0d388483eab07a3ed92965be6821
-
SSDEEP
6144:QsCwu+mWhJifvtNP/7YXSLB80PqO/PhR3p0Ov6Po5/RrVqB8hgh6mTi:NxmIJQvPkitEqZR3p0u6+URTi
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
GetDecoding@zimbabwe.su
getdecoding@msgsafe.io
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
NS2.exewinhost.exepid process 384 NS2.exe 808 winhost.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
winhost.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\EditCheckpoint.tiff winhost.exe File opened for modification C:\Users\Admin\Pictures\ExitUnprotect.tiff winhost.exe File opened for modification C:\Users\Admin\Pictures\InitializeEnter.tiff winhost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Takeaway.exewinhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Takeaway.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation winhost.exe -
Drops startup file 5 IoCs
Processes:
winhost.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta winhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winhost.exe winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini winhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
winhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winhost.exe = "C:\\Windows\\System32\\winhost.exe" winhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" winhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" winhost.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
winhost.exedescription ioc process File opened for modification C:\Users\Admin\Links\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini winhost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini winhost.exe File opened for modification C:\Users\Public\Documents\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini winhost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini winhost.exe File opened for modification C:\Program Files (x86)\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini winhost.exe File opened for modification C:\Program Files\desktop.ini winhost.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini winhost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini winhost.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini winhost.exe File opened for modification C:\Users\Public\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Music\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini winhost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini winhost.exe File opened for modification C:\Users\Public\Music\desktop.ini winhost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini winhost.exe File opened for modification C:\Users\Public\Videos\desktop.ini winhost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini winhost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini winhost.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini winhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini winhost.exe -
Drops file in System32 directory 2 IoCs
Processes:
winhost.exedescription ioc process File created C:\Windows\System32\winhost.exe winhost.exe File created C:\Windows\System32\Info.hta winhost.exe -
Drops file in Program Files directory 64 IoCs
Processes:
winhost.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.boot.tree.dat.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\oregres.dll.mui winhost.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\Microsoft.PackageManagement.resources.dll.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_elf.dll.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_ja_4.4.0.v20140623020002.jar.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Dismiss.scale-80.png winhost.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeWideTile.scale-100.png winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\ui-strings.js winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\ui-strings.js.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-fr\ui-strings.js.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_bho_64.dll winhost.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-125_contrast-white.png winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedAppList.scale-200.png winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\sample-thumb.png.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-125.png winhost.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\ui-strings.js winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\AppStore_icon.svg winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\ui-strings.js winhost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml winhost.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72.png winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\download-btn.png winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Hx.HxT winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-ms.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\ui-strings.js.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOS.TTF.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\da.pak.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\LogoDev.png.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\WideTile.scale-100.png winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_contrast-black.png winhost.exe File created C:\Program Files\7-Zip\Lang\en.ttt.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\libwin_msg_plugin.dll winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.f74ef681.pri winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\PREVIEW.GIF.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugin.js.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\canary.identity_helper.exe.manifest winhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\msvcr100.dll.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\scan_poster.jpg.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\progress.gif.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchMedTile.contrast-black_scale-200.png winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\Images\DefaultProfileImage.png winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLPROXY.DLL.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-black_scale-200.png winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\MedTile.scale-200.png winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-100_contrast-white.png winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedSplash.scale-200_contrast-white.png winhost.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon_hover.png.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-30.png winhost.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.VisualStudio.Tools.Applications.Runtime.dll.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\adc_logo.png.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcr120.dll.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\ui-strings.js.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML.id-72FE0235.[GetDecoding@zimbabwe.su].get winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\BadgeLogo.scale-100.png winhost.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml winhost.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\ svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontFace.dat svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-System.dat svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-FontSet-S-1-5-21-2629973501-4017243118-3254762364-1000.dat svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\~FontCache-S-1-5-21-2629973501-4017243118-3254762364-1000.dat svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\ svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 3732 vssadmin.exe 4384 vssadmin.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider\ConfigExpiration = "133077348473664802" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\FontCache\SystemFontProvider svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exewinhost.exepid process 2236 powershell.exe 2236 powershell.exe 3960 powershell.exe 3960 powershell.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 2236 powershell.exe 2236 powershell.exe 2236 powershell.exe 2236 powershell.exe 2236 powershell.exe 2236 powershell.exe 2236 powershell.exe 808 winhost.exe 808 winhost.exe 2236 powershell.exe 2236 powershell.exe 2236 powershell.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 2236 powershell.exe 2236 powershell.exe 2236 powershell.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 2236 powershell.exe 2236 powershell.exe 2236 powershell.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 2236 powershell.exe 2236 powershell.exe 2236 powershell.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 2236 powershell.exe 2236 powershell.exe 2236 powershell.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe 2236 powershell.exe 2236 powershell.exe 2236 powershell.exe 808 winhost.exe 808 winhost.exe 808 winhost.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
powershell.exepowershell.exevssvc.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 2236 powershell.exe Token: SeDebugPrivilege 3960 powershell.exe Token: SeIncBasePriorityPrivilege 2236 powershell.exe Token: SeBackupPrivilege 2336 vssvc.exe Token: SeRestorePrivilege 2336 vssvc.exe Token: SeAuditPrivilege 2336 vssvc.exe Token: SeDebugPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeSecurityPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeSecurityPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeSecurityPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeSecurityPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeSecurityPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeSecurityPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeSecurityPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeSecurityPrivilege 3676 powershell.exe Token: SeSecurityPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeSecurityPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeSecurityPrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeBackupPrivilege 4928 vssvc.exe Token: SeRestorePrivilege 4928 vssvc.exe Token: SeAuditPrivilege 4928 vssvc.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
Takeaway.exepowershell.execsc.exewinhost.execmd.exeNS2.exepowershell.execmd.exedescription pid process target process PID 4364 wrote to memory of 2236 4364 Takeaway.exe powershell.exe PID 4364 wrote to memory of 2236 4364 Takeaway.exe powershell.exe PID 4364 wrote to memory of 2236 4364 Takeaway.exe powershell.exe PID 2236 wrote to memory of 1064 2236 powershell.exe csc.exe PID 2236 wrote to memory of 1064 2236 powershell.exe csc.exe PID 2236 wrote to memory of 1064 2236 powershell.exe csc.exe PID 1064 wrote to memory of 4560 1064 csc.exe cvtres.exe PID 1064 wrote to memory of 4560 1064 csc.exe cvtres.exe PID 1064 wrote to memory of 4560 1064 csc.exe cvtres.exe PID 2236 wrote to memory of 3960 2236 powershell.exe powershell.exe PID 2236 wrote to memory of 3960 2236 powershell.exe powershell.exe PID 2236 wrote to memory of 3960 2236 powershell.exe powershell.exe PID 2236 wrote to memory of 384 2236 powershell.exe NS2.exe PID 2236 wrote to memory of 384 2236 powershell.exe NS2.exe PID 2236 wrote to memory of 384 2236 powershell.exe NS2.exe PID 2236 wrote to memory of 808 2236 powershell.exe winhost.exe PID 2236 wrote to memory of 808 2236 powershell.exe winhost.exe PID 2236 wrote to memory of 808 2236 powershell.exe winhost.exe PID 808 wrote to memory of 1572 808 winhost.exe cmd.exe PID 808 wrote to memory of 1572 808 winhost.exe cmd.exe PID 1572 wrote to memory of 4472 1572 cmd.exe mode.com PID 1572 wrote to memory of 4472 1572 cmd.exe mode.com PID 1572 wrote to memory of 3732 1572 cmd.exe vssadmin.exe PID 1572 wrote to memory of 3732 1572 cmd.exe vssadmin.exe PID 384 wrote to memory of 3856 384 NS2.exe cmd.exe PID 384 wrote to memory of 3856 384 NS2.exe cmd.exe PID 384 wrote to memory of 3856 384 NS2.exe cmd.exe PID 3960 wrote to memory of 3676 3960 powershell.exe powershell.exe PID 3960 wrote to memory of 3676 3960 powershell.exe powershell.exe PID 3960 wrote to memory of 3676 3960 powershell.exe powershell.exe PID 808 wrote to memory of 3100 808 winhost.exe cmd.exe PID 808 wrote to memory of 3100 808 winhost.exe cmd.exe PID 808 wrote to memory of 3128 808 winhost.exe mshta.exe PID 808 wrote to memory of 3128 808 winhost.exe mshta.exe PID 3100 wrote to memory of 4692 3100 cmd.exe mode.com PID 3100 wrote to memory of 4692 3100 cmd.exe mode.com PID 808 wrote to memory of 3180 808 winhost.exe mshta.exe PID 808 wrote to memory of 3180 808 winhost.exe mshta.exe PID 3100 wrote to memory of 4384 3100 cmd.exe vssadmin.exe PID 3100 wrote to memory of 4384 3100 cmd.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Takeaway.exe"C:\Users\Admin\AppData\Local\Temp\Takeaway.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -noLogo -noProfile -File takeaway.ps1 winhost2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uimfrzco\uimfrzco.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA146.tmp" "c:\Users\Admin\AppData\Local\Temp\uimfrzco\CSC3B723571DD294859AE6D8A2FBE605F34.TMP"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File purgeMemory.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\NS2.exe"C:\Users\Admin\AppData\Local\Temp\NS2.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
C:\Users\Admin\AppData\Local\Temp\winhost.exe"C:\Users\Admin\AppData\Local\Temp\winhost.exe"3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12515⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12515⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"4⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaFilesize
7KB
MD55cb4ca15a55ebd60ef96a0d6bcb2191f
SHA1cf297b67810935a444e666714350d4c652445f06
SHA256049afe797d619c72862eeea9d9befa904174e7e0c00cc261e52bbe69b687f66b
SHA51202195bcbd066f08db559622d332f62087f414794555d745b5eca35b3b2031c4ba1ccb0b24a96e001cc7a226bccd7f2279a8e22db8ec3c5e7fbf89e66b2fb4c8a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5124edf3ad57549a6e475f3bc4e6cfe51
SHA180f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5124edf3ad57549a6e475f3bc4e6cfe51
SHA180f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
24KB
MD52b86eac633d551dc7cdd11cede1e4cea
SHA1e505371dbba0d14a5c1bbedd239ff82b1cb977ab
SHA2568751b0b7b1219061e549ebd08435e7d8029efdba10bdecfe1527f71c755b67a3
SHA512b66295899cb255291d400ae8de3082338850ce31d64aa1b3bd4d0ffcd59e98f53b0d06d5099653ca47b27fa73ccf8a589e78c2697e705ec5ae35f83afcc6520a
-
C:\Users\Admin\AppData\Local\Temp\NS2.exeFilesize
125KB
MD5597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
C:\Users\Admin\AppData\Local\Temp\NS2.exeFilesize
125KB
MD5597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
C:\Users\Admin\AppData\Local\Temp\RESA146.tmpFilesize
1KB
MD52a44e4dec8fd5d6514149cc7c960beba
SHA1036f27fcd9fc80a0b2750f176bb20fa89a653f6c
SHA256e0e7fc8d9e9029b60440a407eff88a6f551c14ece1bc0d702286c466aeec645e
SHA512b7bbe92b5f7d96078d31e91cfd2d24a668e8cf9d030d58617f4b5f69c1a23120dd09870334ff680eb3e047d963b2374ba044dd26ec976b0563260106a1e89cfd
-
C:\Users\Admin\AppData\Local\Temp\purgeMemory.ps1Filesize
8KB
MD531e22820cba11f6c7670854ed65f09ed
SHA19ab447c539234e75b56b3e180f3541580ffa0cea
SHA2566a808299703119635c68fcadb14b7301775b49eb5948aeb319b6728f1686f035
SHA512fbc97b21f9627687070edf9727f68062e8d5d71447497a0a0bd63bbe2ea3b0e753849226cb4cd9688f838e103e348dc070dc8360937e2662ff23291c4b2910fe
-
C:\Users\Admin\AppData\Local\Temp\takeaway.ps1Filesize
3KB
MD508c0963ddf483e5c233026380de1b6d0
SHA11e3a06d038a48c76a6ad0c400cf145109e7179b7
SHA256488590a74e0ab3e1a8942146d3b0f1ce1c0a0841fede177406635bb68cc7ba59
SHA512a73d58c5881468d504dc67b6ff1830d2147394717ef3ed8dd8489ae060d1d3a12eac7c500d7d5f0f915e6497a19f43c08ada089f5b9855f34a99898fc772317f
-
C:\Users\Admin\AppData\Local\Temp\uimfrzco\uimfrzco.dllFilesize
3KB
MD52002a0424a227870b3a4ef95e3fb14e1
SHA144bcb2c5dcd8f5ca1eba5d16364622b8836cc5a1
SHA256df31c5d9c8cfd957a6942e3f0225b62e99085a68b2f32823bf27f077f55cbaaf
SHA51285c4347a367cbd6d13b299f3c5ec09c70f8767a12a414753428387e98e74f663daefee5a9d673528f3823e69c3372b266c3c6b78818c9e7bbc2b810e3e01957e
-
C:\Users\Admin\AppData\Local\Temp\winhost.exeFilesize
92KB
MD5c24f6144e905b717a372c529d969611e
SHA10a297e9e5c807c06ad10f4f746f4f9e256df6743
SHA25694ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6
SHA512f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f
-
C:\Users\Admin\AppData\Local\Temp\winhost.exeFilesize
92KB
MD5c24f6144e905b717a372c529d969611e
SHA10a297e9e5c807c06ad10f4f746f4f9e256df6743
SHA25694ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6
SHA512f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
6KB
MD56455aa211d483fd5dd13bc2f8dc7bfa7
SHA141f0a48fbdafb734f298656f68dedb3a12b9a8a2
SHA2565e7cc3ad94f2dfbe58eb7b891b8022dea8a298dcdc05dbc1f5d92fbfac131db8
SHA5123fd51dc7ad37fc18a83dbb7f22fc6512edeba15147a7f42f0dcb3830d8be07bf12f94ebcfc0016108a30d3913901a16a191bf7c6ad3f73c84f416da0bd35e121
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.htaFilesize
7KB
MD55cb4ca15a55ebd60ef96a0d6bcb2191f
SHA1cf297b67810935a444e666714350d4c652445f06
SHA256049afe797d619c72862eeea9d9befa904174e7e0c00cc261e52bbe69b687f66b
SHA51202195bcbd066f08db559622d332f62087f414794555d745b5eca35b3b2031c4ba1ccb0b24a96e001cc7a226bccd7f2279a8e22db8ec3c5e7fbf89e66b2fb4c8a
-
\??\c:\Users\Admin\AppData\Local\Temp\uimfrzco\CSC3B723571DD294859AE6D8A2FBE605F34.TMPFilesize
652B
MD562890d30ac092f69c5d4926454acb3bf
SHA1b3919dbc0d4b7375066d104f27ca58ae9bba2256
SHA25698ef4c53e5c093ad3548a8a78a26041dd3f1f7f5673a55a6044fc29c89dd9371
SHA51220bc083c924f46bb30449ce33c207a2eafd686623c48e5ca7d1dfe1615ae959c470868977b2d10b7e54c67848a18102ac007ec100bffab15cd16553e022cce94
-
\??\c:\Users\Admin\AppData\Local\Temp\uimfrzco\uimfrzco.0.csFilesize
308B
MD59c478287d8b4ad6cd34ac20bdac9577c
SHA173965974950d1be20682abc2f716e5070f2c7097
SHA2568bb1e373d78c7c750ac20b5b0ec3dfcd1e8e74ca8d6accde1e02aa2c205c776f
SHA512b0c435e194b5a72c50ddccf2bc84d178e5e1872f4ed3f630a661d187f77f4eb095a08303e4d243c45384a84b717fd2d5c76c5c4274cade5ad1a09dcdcd4ca6a2
-
\??\c:\Users\Admin\AppData\Local\Temp\uimfrzco\uimfrzco.cmdlineFilesize
369B
MD57a5f236a3212f715badc84413f9d50c4
SHA112c6ad088378c515ea0d337fc5c355e26250db1e
SHA256fa4147116cd2acf7852f3b2ec14b2584519ee99faa7b8f21bbcb4e9551951152
SHA512598963b97d0d5daa4c0d74e2ca00c6b9a1938d037c4ad56caa316b5169017f13be4d8609583546fb615a2c3b65efa4fa8b1a91001b14f32f3913a9509782f4e2
-
memory/384-164-0x0000000000000000-mapping.dmp
-
memory/808-167-0x0000000000000000-mapping.dmp
-
memory/1064-142-0x0000000000000000-mapping.dmp
-
memory/1572-169-0x0000000000000000-mapping.dmp
-
memory/2236-160-0x0000000007AC0000-0x0000000007ACE000-memory.dmpFilesize
56KB
-
memory/2236-134-0x0000000004DB0000-0x00000000053D8000-memory.dmpFilesize
6.2MB
-
memory/2236-157-0x0000000007190000-0x00000000071AE000-memory.dmpFilesize
120KB
-
memory/2236-158-0x00000000072E0000-0x00000000072EA000-memory.dmpFilesize
40KB
-
memory/2236-155-0x0000000070180000-0x00000000701CC000-memory.dmpFilesize
304KB
-
memory/2236-132-0x0000000000000000-mapping.dmp
-
memory/2236-161-0x0000000007B40000-0x0000000007B5A000-memory.dmpFilesize
104KB
-
memory/2236-162-0x0000000007B30000-0x0000000007B38000-memory.dmpFilesize
32KB
-
memory/2236-154-0x00000000071B0000-0x00000000071E2000-memory.dmpFilesize
200KB
-
memory/2236-133-0x0000000004740000-0x0000000004776000-memory.dmpFilesize
216KB
-
memory/2236-151-0x0000000008070000-0x0000000008614000-memory.dmpFilesize
5.6MB
-
memory/2236-150-0x0000000006DC0000-0x0000000006DE2000-memory.dmpFilesize
136KB
-
memory/2236-149-0x0000000006E60000-0x0000000006EF6000-memory.dmpFilesize
600KB
-
memory/2236-136-0x0000000005510000-0x0000000005576000-memory.dmpFilesize
408KB
-
memory/2236-141-0x0000000006100000-0x000000000611A000-memory.dmpFilesize
104KB
-
memory/2236-137-0x00000000055F0000-0x0000000005656000-memory.dmpFilesize
408KB
-
memory/2236-138-0x0000000005BE0000-0x0000000005BFE000-memory.dmpFilesize
120KB
-
memory/2236-156-0x00000000702E0000-0x0000000070634000-memory.dmpFilesize
3.3MB
-
memory/2236-135-0x0000000004D30000-0x0000000004D52000-memory.dmpFilesize
136KB
-
memory/2236-140-0x0000000007440000-0x0000000007ABA000-memory.dmpFilesize
6.5MB
-
memory/3100-182-0x0000000000000000-mapping.dmp
-
memory/3128-184-0x0000000000000000-mapping.dmp
-
memory/3180-185-0x0000000000000000-mapping.dmp
-
memory/3676-177-0x0000000000000000-mapping.dmp
-
memory/3732-171-0x0000000000000000-mapping.dmp
-
memory/3856-172-0x0000000000000000-mapping.dmp
-
memory/3960-176-0x000000000A7D0000-0x000000000A7FC000-memory.dmpFilesize
176KB
-
memory/3960-174-0x00000000702E0000-0x0000000070634000-memory.dmpFilesize
3.3MB
-
memory/3960-173-0x0000000070180000-0x00000000701CC000-memory.dmpFilesize
304KB
-
memory/3960-152-0x0000000000000000-mapping.dmp
-
memory/4384-186-0x0000000000000000-mapping.dmp
-
memory/4472-170-0x0000000000000000-mapping.dmp
-
memory/4560-145-0x0000000000000000-mapping.dmp
-
memory/4692-183-0x0000000000000000-mapping.dmp