564e2b97e02703ac304b1db8f94d53edd072a7539f344954aaaf6dbf5dea5a55

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_76d19ea74c17ddc673b99ef1d778d6a5_icedid.exe
Size

1.5MB
MD5

76d19ea74c17ddc673b99ef1d778d6a5
SHA1

79381fe1d20237a5e6e56e7e18f3a1d8cb0807ef
SHA256

564e2b97e02703ac304b1db8f94d53edd072a7539f344954aaaf6dbf5dea5a55
SHA512

0c3eab3937493ebe9bc5c16748f56facd67175ddfad65f5e9b724af3141125d3782d392eb6a71549cbe0c52ec51f38c06de82ed0da2e21f333004678d9eab7b6
SSDEEP

24576:bbz3Si/kdsqjnhMgeiCl7G0nehbGZpbD:b/3Z/uDmg27RnWGj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2276	alg.exe
1160	elevation_service.exe
3056	elevation_service.exe
1748	maintenanceservice.exe
4868	OSE.EXE
1032	DiagnosticsHub.StandardCollector.Service.exe
3936	fxssvc.exe
4568	msdtc.exe
408	PerceptionSimulationService.exe
4828	perfhost.exe
960	locator.exe
2116	SensorDataService.exe
2640	snmptrap.exe
1632	spectrum.exe
4788	ssh-agent.exe
1192	TieringEngineService.exe
4964	AgentService.exe
2500	vds.exe
3444	vssvc.exe
2420	wbengine.exe
3712	WmiApSrv.exe
4212	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-25_76d19ea74c17ddc673b99ef1d778d6a5_icedid.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\374efeb3bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-25_76d19ea74c17ddc673b99ef1d778d6a5_icedid.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2fda37fddaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1163b7fddaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5caee7eddaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8757b7fddaeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023749a7fddaeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000590f37eddaeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1160	elevation_service.exe
1160	elevation_service.exe
1160	elevation_service.exe
1160	elevation_service.exe
1160	elevation_service.exe
1160	elevation_service.exe
1160	elevation_service.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3144	2024-05-25_76d19ea74c17ddc673b99ef1d778d6a5_icedid.exe
Token: SeDebugPrivilege	2276	alg.exe
Token: SeDebugPrivilege	2276	alg.exe
Token: SeDebugPrivilege	2276	alg.exe
Token: SeTakeOwnershipPrivilege	1160	elevation_service.exe
Token: SeAuditPrivilege	3936	fxssvc.exe
Token: SeRestorePrivilege	1192	TieringEngineService.exe
Token: SeManageVolumePrivilege	1192	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4964	AgentService.exe
Token: SeBackupPrivilege	3444	vssvc.exe
Token: SeRestorePrivilege	3444	vssvc.exe
Token: SeAuditPrivilege	3444	vssvc.exe
Token: SeBackupPrivilege	2420	wbengine.exe
Token: SeRestorePrivilege	2420	wbengine.exe
Token: SeSecurityPrivilege	2420	wbengine.exe
Token: 33	4212	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4212	SearchIndexer.exe
Token: SeDebugPrivilege	1160	elevation_service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3144	2024-05-25_76d19ea74c17ddc673b99ef1d778d6a5_icedid.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 4556	4212	SearchIndexer.exe	126
PID 4212 wrote to memory of 4556	4212	SearchIndexer.exe	126
PID 4212 wrote to memory of 3412	4212	SearchIndexer.exe	127
PID 4212 wrote to memory of 3412	4212	SearchIndexer.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-25_76d19ea74c17ddc673b99ef1d778d6a5_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_76d19ea74c17ddc673b99ef1d778d6a5_icedid.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3144

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3056

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1748

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4868

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:220

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4568

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:408

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:960

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2116

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1632

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4640

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4556
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bf7016c75c4fff838e6adc7537c78e1e

SHA1
7bb0326f1336075cd86ca09c6ac0fbc2295d1e8e

SHA256
d9e5756f98de56f0c517b1136288bb53e67d17bd5262eb384545f4f4e2637de1

SHA512
61a7b03c902bfe9ccb063d53fa83064feea7df41a2b68f64bb4baa0a78f78b63909b4739472e0162594e25b0247ae6ce4eed5a738eb6369203cfdea4f6c2b012

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b5d2a81cabae64308cf1814a589a3200

SHA1
4ae907764ddc318eec5079e61950460335bc62b7

SHA256
ce0bc187ab036587a03edc34e74182e1f5ef1df105bb32d87193a7bc6f3c179d

SHA512
9b944eb4a48139e68c90652492252bf245d59680ded52b6a7fe66df48ab3a34aabdec8136485c72c7816430a098cfce57d7c0bd778498722b5452997cb64c33a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
c76f70fd3a53f1a152bb7b79ad75e9d6

SHA1
f94910d04c54d725f0ba8c5380c0017172d7fdef

SHA256
66af4a4f8f82e640d671cc8ab7d11841ffc7fbba90f8328489bace9054103209

SHA512
b159e1f7dbe6374773bc5a5e1fa6a44a7ffd409bc85d4224d177cca99406ab8325b0bf2909902aebd2d731a906ca4acfd4995a4674295d2e3acf86e09ce850e3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
453b685b96a2912fe087a7403dd9acf6

SHA1
980ab07d0c0b3750669f9a471c3e08b17083274b

SHA256
f34413dea7fdd594d762462de996dde06d298b88ae06d508667194983439fbe6

SHA512
8e3a1802c3ad3f3ce3f80c08eae2dfd83b80f630cd3c2d7ff7cba0d69ed557c8ae0e94de46fd173e57bf437a40cffb4a9ef186d0b484aa8cce15ce6618f6c47f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cb9f0207e7388fe2e8a50ed9976d9aaa

SHA1
2bbfa1e6cbbe56cb557628507de7a66868c0f2f2

SHA256
73f8d70f7a35ad826d726aa568edcba44e45e1d4c790f08c0d2691b96c4db488

SHA512
eec90f10fb899d30ece05f7e01721a2ea8a354186842f432dda5d0c7437a7180713346651e571d9c624209e8382c73135f066f54035433ff6950e62eddb0229e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
7dd9fb0dc32bb2eb6ae420f1398aa2cd

SHA1
ab2e71463a2548709469b356d622613a748cfdc7

SHA256
3b8132075cd12ba7d8ad82eb23aa140dcf22ec603f26f5be736761d0ea0dd874

SHA512
97eaca80d91148584c42dc5da2ee90c4938a5e920b0ecef82205c27a190ab1122b842473c4dbf4f2dd8f78f60493ab5a20d8a1c2f8592d6073932acf76b3d8a3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
ce9a76a74a629e77712639861996d0db

SHA1
ef25963674f81e5909a69502cbb51c997f29b884

SHA256
52794c62d0bfb53f90530b1268f843e6b28fadbb4c3a008ec86451c25c5d654f

SHA512
4c0664f462178313ebf54137bfedbc93cd5f4fecb5015a375a7aeeafe73826974f05e34bb774bb49b54c2f2af1bf717be46df40e8d626d1271f55afd9e216787

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ba107f671b95208b137093cdad691677

SHA1
70d87fbdc0d3fa538ecd1af1b1ada54f78eee5bc

SHA256
46dcb20e1c949e6d2cf12d5eda11bcdc3dda61458791b41e3138cb989c04266d

SHA512
61ef141ca7311f2490b3c7f3f65c4f0cb2fd70d99b7aa3a8d9e59da6c5a9314e3183abcbdc383bab89fb93b3257edd2a8e9fa40ec0b7f4d94ee4c4dae85cfe7d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
c9fa16dd327bec7cbc57227c921e41db

SHA1
87a23a29bf97d8ead4d374d72629e85a572fc685

SHA256
23632c0639e038b110b553eb9c87d250f55fef8d5995dac69d653aa4d52956bc

SHA512
9249aba6e8a09a1a5553a4b7ecabacb1749cfec2a1dd822f3868a1367ccf8be27b09621c24fabcd613d0502ec84766f8279a9c5f7249c19af13efb4561638a68

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
4e71953a1abd357e7a85b6c0dd77a266

SHA1
dba6ef55deeaa98359d11ac3123968020970ab80

SHA256
b8c01b4801446f48ad07ee57d215dc8ffe584bebfaf5b2931b26a5839cba0be2

SHA512
cae9ad6a10768501f0b021d253a8d920cb3483cca58f352e039fe974f778e99a185a6e9361baa808586eca7628d736e5412d4e6b786704c341b24849baa98792

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3b7d477ccbb89b929e1bd8c277cf4c2b

SHA1
35d118ec0bb9d74fb12666644fa0567f0711bc7b

SHA256
64b2e9216995217b924284496a541017fee370cbb5d0f9d720f710f3fb080425

SHA512
daf3ac3ca441e1254eb28a702ec43314ba7c9e6d003dbe6ca82640653f6b94859b8ea77b4090d07cd8260c6a45d6dc1c1c69d88726711162f1b94852fe699551

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6a4d8117ed20f1da45929aeb3b2495d9

SHA1
80684b61421647bb5c0d0809857b1dba6bc52d75

SHA256
da32a9f9b55714ffcd0590c8ba2272bacae1f8a1d5142e0017520b5caa4bf7db

SHA512
9abc048d548caa7ec0d9411d9180cfe861cb191c20ed975c0b9e4a53fb5155795b66e0d89c695b4bbe7878d450899095913921e628106b60a770878f7a315a80

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
f5e05f7ad612585d24fd7514a964e8f3

SHA1
d77e786331bd39dcba55e92b703048d4b666fe18

SHA256
feb3b2b44b144851044f919e26293a626b16ba8ae9a85325f680ab9a399af527

SHA512
553b3dc63bb21d306d093c75c54acedc6743d8ab37ec5b49eda0c91f3dad501b4d80481fea720c4e4e06ce55a1a88ad42b6141c24a9a57100d0fcf03f67572c8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
21bb4c4c5a54f24def5020ef05c7457f

SHA1
bea7578e063346cf8834b63b2ee433cb6173263f

SHA256
51bbc9c2689a98d5860825ab03beaa39f43f572d59e720109c835283a7741d4b

SHA512
78bdb67069e65bfa1fa65138d18ca3a434ffe48f16ec5382a43076cb1f3cd778edc738f95675ef745877ef0671153382c48da7f3c314ebcc782c9ad1170c7eca

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
96db4d32ba81f49adc981310a6c9384e

SHA1
e002ebe13fb09f21a8743291bebe28f8a812311c

SHA256
bf825d8f0e420b86c6046855cafe4fbe289ff6ff266a66ab89bbfa82c4406eea

SHA512
854808efdbeadfd2ca8e840c2d755b3a1b53f849c3c070fb363c7e04a113709ea616ab5b584d1f458e9c2a305b553d09dbeadb9ace49cda599f4fac3cd804fc4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
185af44ad02cbe6ec700420972866cfd

SHA1
6d9f87f18a8384ff9761edac234a665f695fbbe7

SHA256
f0bec4e1dc9920965cba633a46c26ddbd4676d5e31a9d7e015c94d64020c318f

SHA512
ee4dff1d772afe378d1a716b0f053b607c92b255745a4f116b372887fac9ac171cf29bbac3071ce3d7ab7205c8608d64676756da00828499fa73c3e3a7909562

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ea5d3c1713d65303ccba57208b87510a

SHA1
5873e9d1198b826207a438275dc1dc1758b7996e

SHA256
59dfb9d7299c4550890868c9215e5184b120ae81f0ae6e034339c15ef55eaa2e

SHA512
6cf66ebd3f7b051d1abf1d911ae0c0182846e948558cf465daa0225f3ea995a5938083bc43eb3f3807eb3bb23b693b57aa9322b8d1ef038dd89a8ad9ee78f8cd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
043ae86bed327f78be9476a73a551453

SHA1
a35169fc77b8988c4cec2acf6fe17b3b0adbf694

SHA256
1cf9ed1177937f75427bce5e100ba2d77ed44640cb32cc5be558fbd1e3b179a2

SHA512
947a1ea3b3f88fc340b60145841d6e41cd3265bf35c417fc3cbd7bec5972c0cb1134717736931e1094af8d76a7f86055b1a5df2fdde1513e6c339ffbc3c05906

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b486672cb20b3767213ffb1bc4507c80

SHA1
c89692d873512ef462da57e0df97d27c3dc0e1b1

SHA256
892a02397477b93298d1f329d1f875ff9412318ce1f477f82ff5d942bc8c2510

SHA512
e87b3b9b311caca3d0b5c578d8fa916c4f44f73066d7bba7bc115fd9ec52da3062ea2e0353f3a74791484c386590012e59bdb877d6f0ecd870dd556f23615c2e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
4fe4b93ad80ad6b4025c301fceed7602

SHA1
aea562b2183b7437237aada63916ca804c87386f

SHA256
3dba636588a8b8ef651a15b9404b5090b80c7586e45e3a297e437e154579cbd4

SHA512
5eeda56134b3e8a329779d0591aa7fee7246af56f923da4cc610dc7f4c11184f30cd247ded2d6f9fddf4b90f5a750771aa1fa670219490bc16a581d335c3e8e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
acb06fd227c2a68b08a8b6ff3cb43153

SHA1
e2304241c8259f52b65da8a31941c0eff6e9eaa6

SHA256
03731265015cd48d9a5b80f2847a6bc266efad0d65b99907482f59154fbd665e

SHA512
cdf8853558b84376abbd273e34caa374bba72167ba63b931d6c91345fe3b556c6e3a4bbf6e3aa259eab826b153b2d6e9bba2b4ae946721d2e8113db47fb34140

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
f4c8d2b77edef10eb2164545eeb34b4e

SHA1
8a49497f91cfe70e1d2383acbbba37b04ae7e03b

SHA256
9d92893ef78d24ec536f35f5d92a366de6b4fc74c97d030b6f818de7bb9b5dae

SHA512
0a0f7ef7bec9a46944564307b598edf09650894d5f9e749eecc0711a15c378d36595dcd9b94ed0381b7069bde449d0ef930715a14f8607fb52ec060d00746308

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
25389a8aee2d5f80eac2175a4d8efe42

SHA1
7c284a015e764ce437363b881d99aef77399202b

SHA256
5d4f953dbbdf19ca531f0ed996f27387699a72cd851a6636a20cf21c4ec7194c

SHA512
4475b45d6e971835fc6fe2b174a6501820da4de4d1b148fc0bd9c2df8b7f45ef528718cefeab79884451a67dca76d4f9e28ef72412ed17f7288001adf7240ae3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
dbf6dfe13d522a8cfb11b8ff1a57afa7

SHA1
f785e894f52d5127905d01118bdcd1749f079882

SHA256
b05d1cd240d8d8c1f9eb3a3501779fe7302c6cd495378e7dd6c36c8a97aa39e3

SHA512
799617514c6ea36ae889b71737dde2a73f4099ec297b3d5635a62c483a16cd87f7f09d4d761a17e783a579f3e61a67255e75db1ea4fe030176cfda74ea63aabc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
fbcdb9e3cc4d22455571e89766abc61c

SHA1
63291ed4ca8478b6c7cf9fa73569033bfed343e3

SHA256
203e9e8b7c4a931bf12a211b5efc0317df042cb0f0c58f57dc41cf2654a9c972

SHA512
45f552fd1ec353237ddf06d06b7e6bd54ed8ffbee752ad3b2a531235dadecc6f4dc39f8ae74537ce47084213a6cc163f00bb1b0bd860ad52e01ce607ea1c93f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
c89aa47fde2aeaa4fac8992ebc0e16cc

SHA1
374990452aad7b707c756b5a03ad9e7d46b222e2

SHA256
630965b840ebbfb913c0cbb0e05ec32a878788d9c2d96c45d842c2522aafe20d

SHA512
b513ff66b8922dd4ec6937f8c8b65ea2843e946ecfd24375b5e52e17d590b10ad93fc98715a27653ffd356db76aee36aaca31256a0dcc38d84f477be6e1ef6fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
79ae5bb7698b954f5d5e7bf15ef03b79

SHA1
70e5688614931d503ab209275676627a2db5244e

SHA256
877ef5f737ad420c1e5c65970057909abd20e0b1e78b1bb17d08e3823bbcb0a9

SHA512
f33af1bba3d5f366ece1a0a851f431d8e4c08e10e359d35a8d738cbf447df4e4bb3e99609e342d83464b72231659f66e96f59d86efb6f4673643db1651362eac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
7046485055ce041ca5db3050b6c5c331

SHA1
619073690d3aca9c94c2fe90fac7e0388096cf70

SHA256
be7cdacd8fb69fecf589b71aeccba3c5d91b8bd9d40d5275b0f0dbdb6afe2c1b

SHA512
d8dc65ddff427737a52953d1bcd6d26d6657d544db78ca45fdea7d5f1e4e791257378f0e980508ff919c93c1292715bc45b831ff2620f1752054a64d51bf1d90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
d5ea616bc89419d8750d17e4ed9f2e75

SHA1
53afc571ba4bd5ad2c358f63da14e9415fa87528

SHA256
3dbf46add7092c5bbf00f543a6af20530f269ef218874c0ba25c8283584d9358

SHA512
3f0a3a8653707e49d4b0051d1c00c983d75961ffb104b2086c22ad1934e986bbe96fe9a952c0673a67dd48cba71f8ebc12d512d8f4cf47fb0bf4433c36aae2ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
ab3804e38e778d8bc76c4964cfa9fcca

SHA1
bba5bd6b0495a08888ba401dc2abfbe50e4017ec

SHA256
459821f0fe9d1cf39dca334242fa8515b6405f00b789bf776fb66f715a32e648

SHA512
c038c128dd16ab8d275094ce87d7e3a6c6ad3a2fc18556a7d4db4b315abd347543d3c75b51d84c8586e8d908e49e26cb4714dca923f4c334774c50911fc1e011

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
6986ef1b95267962159399aae146763e

SHA1
39ff146c0c550063996ceb17a162e3c67f436369

SHA256
0e6f4a841835333fbf3c40ae24d48e121a3d1a2b6abec7d0703602bf2da2f851

SHA512
2574242fad6897c90a6b1f8f2f3107690597c96b95ca2077d3baf232001c2e6b3f576f79dfe0a55ca21ea5a9b36ed2cb6ec0bfedb028004eddb9b28e2f8b7954

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
226e4b99057297f5033ed04ece899185

SHA1
2d60321867ef15bc326ab5924867d33a31843fc3

SHA256
ffe968e8e5b066718fe71fc64f7050f0123f975278a77b4af6bad032551dc16b

SHA512
9795bb5fb4477c1df75b907c0f4aa754aea073fd9b1365fb750ba54892ec724beaca8f8027f3dfd8059f836fcb80d0c5e5a8632b16f429433ec31c333d80e715

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
55a1280467dec82e2b5911011cbe733d

SHA1
90186ebfd0aa36883e5ced398817a59928049cb2

SHA256
8285b235c5e78dedd35141fe1fb4f8d25bf61b48d4ac6f172617eb862da0f345

SHA512
47f3402e3e4332e2772fe49dfe10edfbc68216253249d9fe9e3c1f501aa746e94a46ae97acc1d195d2c7ac600519d3959086863b30e6c94553b3b8441acaed2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
9d91ff6fd310c1ddcd8eca19a8620563

SHA1
c436fd15cbd6336393b35910393eb41d1b3c92a9

SHA256
7a18592675ffe26a69597f772a5a0d94c14b3739a5445e56ca849254c65900eb

SHA512
4cc2c71d13e1a9a5be2b6f0b29d193241eec6c5069214093fd68305a57e27ba2e40ff6b1c8d8c6338c2d553a98c6fa40edb4a6805a304ae16b1e6f5316a33544

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
174221b31830fccbe18919c80214ace4

SHA1
f2f7b1faafc62c70f0ee5b6ebcb711f5fde4c7ce

SHA256
fb5704aa4f13357f96deb0d8491476307690003a3f1ab256583bc21887f0a16c

SHA512
b3e6b1d9e0d6bd3b6540748b59411c4b9496ead9841f4cf37f1fa17d15a3ad75b2f9b1d1c82d12df49be858f88411ffb2c81527d6b093ab9e63d36600f27d90c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
b10e233fcfb4a562c257ebdfadb0787e

SHA1
76633090c8fc4f95b17cc8c4cdde92c74236de8f

SHA256
75a8b8f7be84ad9f31551f46f27d1811b7fc88c2dbb312c8dff0fca00d201372

SHA512
757b57800fb9ab981bd8ebb56e5b3cd3684da0a67393a9dcc35c8ad6dcb773e95b1be7f14b60acaf20ed36a384e927bd48daebc3c6ad0dc2c9dc3bb369405971

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
919164ffbb73849c44f28774ea52e6ed

SHA1
eb3b711cdd72777c2701a91df276cb990bc36e61

SHA256
6b80bb5691ee39d2e2dfe963ab1079502fca873c1047bba23b10ba1d64c98bf6

SHA512
3b98884fb6fe9246a2e363b29b2a13bfd6c292de405d2659238b0ec87079bc88f820e8946ed6e2a9cc188e7e255cbe639bcd4b948f2a95cdc75616a634c4bbb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
e1e07120074958f533dce27fa6955574

SHA1
89f577569fa3e4efc001f80df3426cb9c7c8e1bb

SHA256
c5f8c0539528bdc9f4a8ffec810e82677621d9fc7423bd4d91a2d0e5e5100fd8

SHA512
3bd6734c98b61f7ff4e9d61537e3a8e0360d770e1fcc2fda31916e8e85598e5fbfa6d9bb08127523bc13b2e747aa3ad5e354d5f24e3d4c09c5468aac0520642a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
031597a03c50470261219132384f2c96

SHA1
913f5d77772b34900139bcf488ae808e02087a84

SHA256
dca36208fcb00d7bba624efe856e728dd570a6365876781b71916c3c2c475f0c

SHA512
657a28d42d2c4c7c93d880d84a5d76214ab109dcaeafa089e80aff23e50b4cb8d82b888a7837d91cef70226d8f3b7fcb43a41b7a4886ff4822c041554afd4b87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
1c6fea6320f5695f4606253c6cd0487d

SHA1
e74b0dbca65ad2ea23709d2b304d0a61933b41e4

SHA256
505d90d5256be5674a314e5eda6b1e12599ef97230988ab9dae3cc0bb9b276bd

SHA512
9d680362cd07386255f967b1cbdf9b9041dcb88eb892c77dc65ebb0da3ec164469a583c25ee126e8e794ed953740b9d2d9a80ec825273ef3e810bd3c8a1590a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
0e3b232cc1be210a85b2baff2aad64ae

SHA1
4e3c966e447429788195a61e327538c3bb63f11c

SHA256
e7e5e6cbca4363721bffe819b4fc757ef221d36f61d58839ead40ff7dc8dd30b

SHA512
be7138010d37f62b5b3af1cbd59f33eb6aae18bfc63b406dbcc3507eb4390ddf12e045e180dceda9f9144c29cbbea52711b8bf3c76e1736f8cf8a1bc50278b39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
5a6845f9aac2b1e3dad10a7b0579f543

SHA1
8fdb819844518dbb2843dbe8b88ff714d8959ab9

SHA256
0b4de9909a3135489e9e8b30200d8445a0fc5f2e95059fd77cd5c042687ab79d

SHA512
af9256f48cee5457d8c1114ecc7ee4241e78ca7f11c6f1df2c283bf46ac24361d723ce6dc2f77ab9ebe6114e07e2a5dbbd6a0b8ee271b5972608dc03ed3ef73e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
25a47e8033c9506cab139ca8e48db9c8

SHA1
8e2952e4385acf488c52c4856a81237e1880e86a

SHA256
db837840a3229baa4f36fa585977de494e6c705ac4fd761d639034facb4cc049

SHA512
8c51e9c9aca795db7b7e2faacefcde20a7aac343e54da4ee6276dd339662c43bd2a52dd2ed1ad4e9d5af829e4c8e0447877bb3358993974755a762196ea46c23

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3d1a9104ee433e3870fb4c095023a057

SHA1
2c93265aa14d9cae8be8f9239544d57b903349d4

SHA256
a245f1d57e600e64d6d8d7cad3f91a40009c3074382af049c8aaf0db7594db9f

SHA512
e2dd25571ad23529e7b4039701ef7a6648726f3eb7dc333aa59621fd18eac964c0c85e587fc1128e03a8998b5bcf3fc5309e26c70f6dfc137273d944d0db75b4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8cc5f8b64634b97be9e17b2115ed438c

SHA1
5802b74f192e4b8c1dbe547e95a4ff323a8f79dc

SHA256
1564f2b72c33d08d4643fb10047af5bcabb4f7a3e7ea8638857dd5e36b45c89e

SHA512
18af668e0cbd762b9aadc4f0f6297515c6c4b02c038bba90a310641e92c1ad0466b27e95b7cb2331afd6fda1c81046a44f0aac5858134d39ba0b787078885951

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
68a460cf6141a84eb4a95c447a5be36a

SHA1
548ae788ec46bd3916e70e3cb3faabd8c0f2ce53

SHA256
4cc46de26242a7642f79f55f8353fc33527a40523d3a93d013678ec7ced6fa3d

SHA512
b4e9ec3794817152cd334ea1d583ae00811f5ddbf60cdb0d339b7107abf3c3e9fd8c233b175e5162faaa2f7304384f598665da02bf5b22409a71e2eb646fb68f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
53d100d72c33f873f06416b417d5ef25

SHA1
b47f8a2575479e30dc1e3bfc63f16c2b2d6259d9

SHA256
eb103e2e5da9ce2c151693864666492f72af1317287b49abb9f348a192369fa5

SHA512
bbeaab1d162028b8ef6a0278a223cc90ee83cdb3f65c93b4d61be3e2ee59b8b09aa44d456a33249eabfc20c79e4e02a97eff0fceaada9b4c1447a0729186eb03

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a1a05368eb9456635c1ee7c493528354

SHA1
dac35fa1a84cfcd2eb532ac8389d61bd3dfd2e62

SHA256
c9ccec2722e96b6ee11019e4dc596f35f44e62b2238e6db77cb7187b4db913ea

SHA512
316c629002ceebb797dc7b3e4e1c489f2a5a47c98b27527033d10aa36e8c787dc913ef247724decc906c508b87b78267f77f82b15c58276ee66e102f3dc130c9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
ebdb45f7031449e304814c3c7f5dc22d

SHA1
3564a5aaf6a8afa1557dfef6fad248688d96e0bd

SHA256
fce24cb12dc7a37cf7a7f14fe514baa522cf513a4934b797482619e30999848c

SHA512
37a2419d17fa4a085aa067940f7267e13c37af746c3468ac16877cc8dbc001ee417a32511662d38f2b0d9c69a128dee3a2df389f7c920c2fbaec384e2c37c639

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
4eaf77c36703d95388e93ad5d0688dfe

SHA1
4401b941d6c157ce0e458ac60fecba06eef63d68

SHA256
031e075a1a53f579fc1db78b78be380ae5f361cc8b6158b57a5ba9ce702b5847

SHA512
c6ac582db0e030acbd38789988e420b68742a5a57338f782092acfe553cadb34e4ff676935988a73d91e6d6300387abe4c080fe32f9a1a3d500e7353b92e99f8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
4faebfbe84db665cee05db3348210289

SHA1
69fea5d3dc6a9c5d0cc40f8ffd615fcfcaf3cefb

SHA256
a1c81e85113bcb0897b0791286a7cacec0198a76a7e4a84df5e7fb97976719ce

SHA512
33caf64da06864b11ec1e09cd3fb5c50094788ceefc9af300ee0dbf59a8aaaa174b09bb6705f57c8c1535af86204b3e7d78ef11d171481b0ba02cb385bddbf82

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5e135ebd8294cef4f7d69ae6f51cc4b6

SHA1
c81a2ef5ecce371724935498c8a3380a2e4639a7

SHA256
9a9778d03efeec404718a5ded17a19a8126e4c0872029df21c4d1c706b60cd25

SHA512
6fd72269e4f4dcb634eb06f4776f893069fccae5f1ab3756b1a9e726c89c068f30b01925c576220173f0f97e6da250624a0ec74c0ace68cf70de04bea1435f8e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9d57c1034a2736ef847f6d1d32a8530f

SHA1
b8ffa33ae1d65bac99fd965ad61a464d403ff4c3

SHA256
7160ad5a6850881ba02407d6bb89467065be69ccedc3fa4a6e6a2b38cb969fd6

SHA512
46d737c26b7ff94be7adc9aa3adc15b6a2f73143f7c49fa2cc2c0b1f0987e066b9da03b2befac55912569f88c87008914ecf7bb68564840929496010d0c7e71e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
2219b5c569fd4566d0c89718bde7de9b

SHA1
64299a40b7edaa7add7a60517bb37899ce0eeeff

SHA256
2058ca49a58dc3f27b55a3242ddd5b2382097e1e0eb0919275783c565af7c255

SHA512
8373953d7805c29084ffaa349eadc3074c76461a68cd46eb7d9f7ff84bbd5791d296d894d6d595f3c51538d998a029f2e42e789acbae9fa67952334dd0a63143

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e8b0ad16ba67f87ff09436078a2acb84

SHA1
d8d82cbb3b232edc06b9bd32a323bc4853d50e3a

SHA256
8c5d85fa531f27e66bc4de1f310390ee64d9ea1364b9571220cc5398636b73d7

SHA512
6367787a5d3261d59c0009e89be15cc416d0aa1ff92e220e855715c82162239f40d76cea6604a9b40e4e875c17c0b258d3a590fa5d9567547e36a685bd32ccbf

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
22de6a661b6b2559749570a3cfaa7ce9

SHA1
70bf910ee365e76f5da7989186d6a42c518ade0a

SHA256
cc67c88b29d128ccd0b3950779421e0971814ddfdce52d28882c1bc3dc750869

SHA512
cd0d6926c09f984abfd18d06ae581212d5dd00b3f3b34a0d187dfa1aed75195d72c9ab7a244cc8646aa6c81f4defb25501c84621ef3b099eb89068e082a83ab4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4a9777f3337845b1304d450208b5c894

SHA1
56e9c81bc75ab1d985ec705bcd43b618c36b61a0

SHA256
7958bd3c094a1d0100dd2d1b404cbee15e962f8a1212524b1eb11f2d2b8c4268

SHA512
702a0c72f66716a4795d9b6958f96663d201a4ffc1643fdd29c475703e2bdfa69439d7e45fbf7ae29e33dcd22acfa9c850c98761356958953aadc451237a8ae7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
8a64fa4e72fab3089c0ca80eb4ea77a6

SHA1
a6f4fde178e20c9270c8d21af964760712edf62e

SHA256
fdffaf567440a6fdd1445b5b89f07bb39b0f4e889b8830522c4a663843e09820

SHA512
b4167f3e7529c82d9da7697dc7ec6194ba08e7b375f65ddeb3506e3f776aab27251aab61d49a36c17a7fcb41567202e4a48100a17a4ce7369d370611c9f864ba

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
615d416755b005bc78a70d15b1352b58

SHA1
1559acb18cdb2e216ad9b501a98ba392743a70bb

SHA256
6042a02669225d740c36487691b1cec93088dfe518646a40eae67fa400db2395

SHA512
ebf20f41471670c390659079e85a08ee22c319c7d750e975d09003596a824c0808f17d7eaf3b3505f1d20be1299fc881f7d4ef23f384e07c5e9b6bd717b32b6e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
959d5b3ab35eca57f5e1fdca8b32cd2a

SHA1
5581f2b45729258551272b5feaf2eba97a0d4b76

SHA256
ba45a2108ba06f8827ec2e3b777fb6cc4c2f6bdf0b321dd8d4294a6d04024b04

SHA512
e89ac94f8fd87387f25d1762e88c790d1fc6bf44de902a31e14eaacde149089dbae7c05bab876a9b2dea2d6dae1346ca951a2e3c33e8f745c65c83f03591ed4f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b8332b7f08e8a80dfc7c9a986e2fb2ed

SHA1
3bafd075b2523e3c15cf67eb79e27a5f5a9396cd

SHA256
b6c40040a0efa883f1be649378d46c5217f5a51a18e0611755812ebfa560b162

SHA512
f8d7824aeac2218ff3b2e70cec75ca21e1a684b95acf8374df11148e34708032283b8c4f1a7e787aa6d1ae1c0c20820f3f31dbb2a60a1a274976b98af665d970

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
db4aa0cbb2cb7db92284face8024aa53

SHA1
5a23c61fbdc8932bac508c0e1abcce770269ee5e

SHA256
2bba34308ab9024f683b720f28b22e52c813131afc83677a76d0b7a85be9ff55

SHA512
2d927f03cb233a1f520e8c41eefad421d769135a4c9eec88b930c50ab252c01955ea6ae28cfffc580c5882268cb7cc0739a2dc97c43726b606e84b8ee036f499

Download Submit
memory/408-291-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/408-392-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/960-297-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/960-416-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1032-249-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1032-363-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1032-243-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1032-242-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1160-235-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1160-38-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1160-30-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1160-36-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1192-577-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1192-364-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1632-331-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1632-567-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1748-63-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1748-52-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/1748-74-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1748-58-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/2116-429-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2116-308-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2116-575-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2276-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2276-23-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2276-22-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2276-234-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2420-582-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2420-405-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2500-381-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2500-580-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2640-566-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2640-328-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3056-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3056-41-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3056-60-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3056-238-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3144-1-0x0000000000C00000-0x0000000000C67000-memory.dmp

Filesize
412KB

Download
memory/3144-8-0x0000000000C00000-0x0000000000C67000-memory.dmp

Filesize
412KB

Download
memory/3144-0-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/3144-27-0x0000000000400000-0x000000000063A000-memory.dmp

Filesize
2.2MB

Download
memory/3444-581-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3444-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3712-425-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3712-583-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3936-254-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/3936-253-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3936-266-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4212-438-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4212-584-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4568-380-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4568-268-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4788-343-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4788-576-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4828-404-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4828-294-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4868-66-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4868-75-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4868-72-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4964-366-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4964-378-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download