xtremerat | eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

Analysis

max time kernel
177s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
Size

532KB
MD5

80c2838bc5c5ebe29e4f87bc02d0bc01
SHA1

1182ed800987cad18ec1cda2cd9a833e1abd9687
SHA256

eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf
SHA512

70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1
SSDEEP

12288:86Wq4aaE6KwyF5L0Y2D1PqLaD0+dj3kuLkv3cH8:6thEVaPqLZ+dj0uLEMc

Score

10^/10

xtremerat persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

golij.redirectme.net

蠀C:\Usertiriberk.ddns.net

nikberkactivi.ddns.net

Signatures

Detect XtremeRAT payload 39 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1472-66-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1472-67-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1344-71-0x0000000000000000-mapping.dmp	family_xtremerat
behavioral1/memory/1344-72-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1472-75-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1472-82-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1344-102-0x0000000002870000-0x0000000002990000-memory.dmp	family_xtremerat
behavioral1/memory/1752-112-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/832-113-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2016-130-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1048-146-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/832-149-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1512-165-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2016-179-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1048-183-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/540-184-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1512-201-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1096-202-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1732-218-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/540-222-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2040-236-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1340-252-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2040-254-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1096-255-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1732-256-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1924-272-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1340-273-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1664-291-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1096-307-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1924-310-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2088-324-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1096-326-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2212-343-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1664-348-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2368-362-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2488-378-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2676-399-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2088-398-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2488-412-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Executes dropped EXE 54 IoCs

Processes:

SDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exe

pid	process
964	SDE.exe
1512	SDE.exe
832	SDE.exe
1752	SDE.exe
592	SDE.exe
2016	SDE.exe
1868	SDE.exe
1048	SDE.exe
1404	SDE.exe
1512	SDE.exe
1936	SDE.exe
540	SDE.exe
1536	SDE.exe
1096	SDE.exe
1532	SDE.exe
1732	SDE.exe
1292	SDE.exe
2040	SDE.exe
1396	SDE.exe
1340	SDE.exe
1540	SDE.exe
1924	SDE.exe
956	SDE.exe
1664	SDE.exe
1732	SDE.exe
1096	SDE.exe
2052	SDE.exe
2088	SDE.exe
2180	SDE.exe
2212	SDE.exe
2332	SDE.exe
2368	SDE.exe
2460	SDE.exe
2488	SDE.exe
2632	SDE.exe
2676	SDE.exe
2780	SDE.exe
2824	SDE.exe
2940	SDE.exe
2972	SDE.exe
3060	SDE.exe
1952	SDE.exe
2252	SDE.exe
2352	SDE.exe
2476	SDE.exe
2484	SDE.exe
2160	SDE.exe
2744	SDE.exe
2568	SDE.exe
2760	SDE.exe
2284	SDE.exe
1580	SDE.exe
2824	SDE.exe
1636	SDE.exe

Modifies Installed Components in the registry 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exesvchost.exeSDE.exeSDE.exeSDE.exeeb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe restart"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{3QJ61200-U472-R556-T4DP-058K1LRLYN44}	SDE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/936-55-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/1472-57-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1472-59-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1472-60-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/936-63-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/1472-65-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1472-66-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1472-67-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1472-68-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/1344-72-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
behavioral1/memory/1472-75-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
behavioral1/memory/1472-82-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1512-93-0x0000000000400000-0x0000000000520000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
behavioral1/memory/1344-102-0x0000000002870000-0x0000000002990000-memory.dmp	upx
behavioral1/memory/964-103-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/964-107-0x0000000000400000-0x0000000000520000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
behavioral1/memory/1752-112-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/832-113-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
behavioral1/memory/592-125-0x0000000000400000-0x0000000000520000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
behavioral1/memory/2016-130-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
behavioral1/memory/1868-142-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/1048-146-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
behavioral1/memory/832-149-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1404-151-0x0000000000400000-0x0000000000520000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
behavioral1/memory/1404-160-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/1512-165-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
behavioral1/memory/1936-177-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/2016-179-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1048-183-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/540-184-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
behavioral1/memory/1536-196-0x0000000000400000-0x0000000000520000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
behavioral1/memory/1512-201-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1096-202-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
behavioral1/memory/1532-214-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/1732-218-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/540-222-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
behavioral1/memory/1292-232-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/2040-236-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe	upx
behavioral1/memory/1396-248-0x0000000000400000-0x0000000000520000-memory.dmp	upx
behavioral1/memory/1340-252-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2040-254-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

svchost.exeeb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe

pid process

1344 svchost.exe
1472 eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe

pid	process
1344	svchost.exe
1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeeb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exeSDE.exeSDE.exesvchost.exeSDE.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IKU = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IKU = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IKU = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IKU = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGT = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IKU = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGT = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IKU = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGT = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGT = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IKU = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGT = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGT = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IKU = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IKU = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGT = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGT = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGT = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGT = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGT = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IKU = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGT = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IKU = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IKU = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IKU = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGT = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IKU = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IKU = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGT = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	SDE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\FGT = "C:\\Users\\Admin\\AppData\\Roaming\\SDE\\SDE.exe"	SDE.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	SDE.exe

AutoIT Executable 24 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/memory/936-55-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/936-63-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/1512-93-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/964-103-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/964-107-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/592-125-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/1868-142-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/1404-151-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/1404-160-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/1936-177-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/1536-196-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/1532-214-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/1292-232-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/1396-248-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/1540-268-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/956-277-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/956-286-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/1732-303-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/2052-321-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/2180-339-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/2332-357-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/2460-374-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/2632-390-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe
behavioral1/memory/2780-408-0x0000000000400000-0x0000000000520000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 28 IoCs

Processes:

eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exeSDE.exe

description	pid	process	target process
PID 936 set thread context of 1472	936	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
PID 1512 set thread context of 832	1512	SDE.exe	SDE.exe
PID 964 set thread context of 1752	964	SDE.exe	SDE.exe
PID 592 set thread context of 2016	592	SDE.exe	SDE.exe
PID 1868 set thread context of 1048	1868	SDE.exe	SDE.exe
PID 1404 set thread context of 1512	1404	SDE.exe	SDE.exe
PID 1936 set thread context of 540	1936	SDE.exe	SDE.exe
PID 1536 set thread context of 1096	1536	SDE.exe	SDE.exe
PID 1532 set thread context of 1732	1532	SDE.exe	SDE.exe
PID 1292 set thread context of 2040	1292	SDE.exe	SDE.exe
PID 1396 set thread context of 1340	1396	SDE.exe	SDE.exe
PID 1540 set thread context of 1924	1540	SDE.exe	SDE.exe
PID 956 set thread context of 1664	956	SDE.exe	SDE.exe
PID 1732 set thread context of 1096	1732	SDE.exe	SDE.exe
PID 2052 set thread context of 2088	2052	SDE.exe	SDE.exe
PID 2180 set thread context of 2212	2180	SDE.exe	SDE.exe
PID 2332 set thread context of 2368	2332	SDE.exe	SDE.exe
PID 2460 set thread context of 2488	2460	SDE.exe	SDE.exe
PID 2632 set thread context of 2676	2632	SDE.exe	SDE.exe
PID 2780 set thread context of 2824	2780	SDE.exe	SDE.exe
PID 2940 set thread context of 2972	2940	SDE.exe	SDE.exe
PID 3060 set thread context of 1952	3060	SDE.exe	SDE.exe
PID 2252 set thread context of 2352	2252	SDE.exe	SDE.exe
PID 2476 set thread context of 2484	2476	SDE.exe	SDE.exe
PID 2160 set thread context of 2744	2160	SDE.exe	SDE.exe
PID 2568 set thread context of 2760	2568	SDE.exe	SDE.exe
PID 2284 set thread context of 1580	2284	SDE.exe	SDE.exe
PID 2824 set thread context of 1636	2824	SDE.exe	SDE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

pid	process
936	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
936	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
936	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
936	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
964	SDE.exe
1512	SDE.exe
964	SDE.exe
1512	SDE.exe
1512	SDE.exe
964	SDE.exe
592	SDE.exe
592	SDE.exe
592	SDE.exe
1868	SDE.exe
1868	SDE.exe
1868	SDE.exe
1404	SDE.exe
1404	SDE.exe
1404	SDE.exe
1936	SDE.exe
1936	SDE.exe
1936	SDE.exe
1536	SDE.exe
1536	SDE.exe
1536	SDE.exe
1532	SDE.exe
1532	SDE.exe
1532	SDE.exe
1292	SDE.exe
1292	SDE.exe
1292	SDE.exe
1396	SDE.exe
1396	SDE.exe
1396	SDE.exe
1540	SDE.exe
1540	SDE.exe
1540	SDE.exe
956	SDE.exe
956	SDE.exe
956	SDE.exe
1732	SDE.exe
1732	SDE.exe
1732	SDE.exe
2052	SDE.exe
2052	SDE.exe
2052	SDE.exe
2180	SDE.exe
2180	SDE.exe
2180	SDE.exe
2332	SDE.exe
2332	SDE.exe
2332	SDE.exe
2460	SDE.exe
2460	SDE.exe
2460	SDE.exe
2632	SDE.exe
2632	SDE.exe
2632	SDE.exe
2780	SDE.exe
2780	SDE.exe
2780	SDE.exe
2940	SDE.exe
2940	SDE.exe
2940	SDE.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

pid	process
936	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
936	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
936	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
936	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
964	SDE.exe
1512	SDE.exe
964	SDE.exe
1512	SDE.exe
1512	SDE.exe
964	SDE.exe
592	SDE.exe
592	SDE.exe
592	SDE.exe
1868	SDE.exe
1868	SDE.exe
1868	SDE.exe
1404	SDE.exe
1404	SDE.exe
1404	SDE.exe
1936	SDE.exe
1936	SDE.exe
1936	SDE.exe
1536	SDE.exe
1536	SDE.exe
1536	SDE.exe
1532	SDE.exe
1532	SDE.exe
1532	SDE.exe
1292	SDE.exe
1292	SDE.exe
1292	SDE.exe
1396	SDE.exe
1396	SDE.exe
1396	SDE.exe
1540	SDE.exe
1540	SDE.exe
1540	SDE.exe
956	SDE.exe
956	SDE.exe
956	SDE.exe
1732	SDE.exe
1732	SDE.exe
1732	SDE.exe
2052	SDE.exe
2052	SDE.exe
2052	SDE.exe
2180	SDE.exe
2180	SDE.exe
2180	SDE.exe
2332	SDE.exe
2332	SDE.exe
2332	SDE.exe
2460	SDE.exe
2460	SDE.exe
2460	SDE.exe
2632	SDE.exe
2632	SDE.exe
2632	SDE.exe
2780	SDE.exe
2780	SDE.exe
2780	SDE.exe
2940	SDE.exe
2940	SDE.exe
2940	SDE.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exeeb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exesvchost.exeSDE.exe

description	pid	process	target process
PID 936 wrote to memory of 1472	936	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
PID 936 wrote to memory of 1472	936	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
PID 936 wrote to memory of 1472	936	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
PID 936 wrote to memory of 1472	936	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
PID 936 wrote to memory of 1472	936	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
PID 936 wrote to memory of 1472	936	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
PID 936 wrote to memory of 1472	936	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
PID 936 wrote to memory of 1472	936	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
PID 1472 wrote to memory of 1344	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	svchost.exe
PID 1472 wrote to memory of 1344	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	svchost.exe
PID 1472 wrote to memory of 1344	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	svchost.exe
PID 1472 wrote to memory of 1344	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	svchost.exe
PID 1472 wrote to memory of 1344	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	svchost.exe
PID 1472 wrote to memory of 1888	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1888	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1888	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1888	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1888	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 324	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 324	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 324	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 324	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 324	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1820	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1820	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1820	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1820	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1820	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1808	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1808	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1808	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1808	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1808	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 616	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 616	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 616	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 616	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 616	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1548	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1548	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1548	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1548	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1548	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1552	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1552	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1552	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1552	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 1552	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 308	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 308	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 308	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1472 wrote to memory of 308	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	iexplore.exe
PID 1344 wrote to memory of 964	1344	svchost.exe	SDE.exe
PID 1344 wrote to memory of 964	1344	svchost.exe	SDE.exe
PID 1344 wrote to memory of 964	1344	svchost.exe	SDE.exe
PID 1344 wrote to memory of 964	1344	svchost.exe	SDE.exe
PID 1472 wrote to memory of 1512	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	SDE.exe
PID 1472 wrote to memory of 1512	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	SDE.exe
PID 1472 wrote to memory of 1512	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	SDE.exe
PID 1472 wrote to memory of 1512	1472	eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe	SDE.exe
PID 1512 wrote to memory of 832	1512	SDE.exe	SDE.exe
PID 1512 wrote to memory of 832	1512	SDE.exe	SDE.exe
PID 1512 wrote to memory of 832	1512	SDE.exe	SDE.exe
PID 1512 wrote to memory of 832	1512	SDE.exe	SDE.exe

C:\Users\Admin\AppData\Local\Temp\eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
"C:\Users\Admin\AppData\Local\Temp\eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Local\Temp\eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe
"C:\Users\Admin\AppData\Local\Temp\eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf.exe"
2⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:964

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
PID:1752

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:592

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:320

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2020

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1576

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1140

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1868

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1048

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1388

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:964

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1936

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:848

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1404

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1136

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:592

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1292

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
7⤵
- Executes dropped EXE
PID:2040

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1536

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1096

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1316

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1752

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1532

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1564

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1048

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1708

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1396

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1340

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1960

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1764

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1540

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1924

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:832

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:976

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1396

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1332

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1868

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1216

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1512

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2052

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
7⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2088

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2276

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2304

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2424

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2544

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2660

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2780

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
9⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:2892

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:2924

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
10⤵
PID:3032

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:956

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1664

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:680

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2148

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2296

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2332

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
7⤵
- Executes dropped EXE
PID:2368

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1732

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1096

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1640

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1900

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2180

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2212

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2436

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2592

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2616

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2668

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2932

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3060

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
7⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2140

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2256

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2292

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2460

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2576

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2600

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2624

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2732

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2632

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2676

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2768

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2940

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2972

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2128

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:1096

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2244

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2336

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2420

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2448

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2636

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2160

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
7⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3000

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:3024

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2252

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2352

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2432

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2468

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3016

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2284

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
7⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
8⤵
PID:2332

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2476

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2484

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2720

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2568

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:2760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:3068

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2888

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2824

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
PID:1636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1888

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:324

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1820

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1808

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:616

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1548

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:1552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
PID:308

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:832

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1480

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1684

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:656

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:912

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:880

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1740

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1404

C:\Users\Admin\AppData\Roaming\SDE\SDE.exe
"C:\Users\Admin\AppData\Roaming\SDE\SDE.exe"
6⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Adds Run key to start application
PID:1512

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1600

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1328

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WLAV0k.cfg

Filesize
1KB

MD5
857ee6625e7aeb4ae0e31c7bd147ccd9

SHA1
e393904b6b200c98ba987172b5960b1edc8edd70

SHA256
22d00e78cbb5364eac840d4a89b7a01e17590a9454304d1d6e0f8db94161e825

SHA512
d7636dfe18bf5ab87b05ce2515b3d5dc1c89d5afcd4b19a85c33916cd2ebb931911093cacea8e3709dda4d9761864ff2f0c16c986201dc185013f46fc30db62a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WLAV0k.cfg

Filesize
1KB

MD5
857ee6625e7aeb4ae0e31c7bd147ccd9

SHA1
e393904b6b200c98ba987172b5960b1edc8edd70

SHA256
22d00e78cbb5364eac840d4a89b7a01e17590a9454304d1d6e0f8db94161e825

SHA512
d7636dfe18bf5ab87b05ce2515b3d5dc1c89d5afcd4b19a85c33916cd2ebb931911093cacea8e3709dda4d9761864ff2f0c16c986201dc185013f46fc30db62a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WLAV0k.cfg

Filesize
1KB

MD5
857ee6625e7aeb4ae0e31c7bd147ccd9

SHA1
e393904b6b200c98ba987172b5960b1edc8edd70

SHA256
22d00e78cbb5364eac840d4a89b7a01e17590a9454304d1d6e0f8db94161e825

SHA512
d7636dfe18bf5ab87b05ce2515b3d5dc1c89d5afcd4b19a85c33916cd2ebb931911093cacea8e3709dda4d9761864ff2f0c16c986201dc185013f46fc30db62a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WLAV0k.cfg

Filesize
1KB

MD5
857ee6625e7aeb4ae0e31c7bd147ccd9

SHA1
e393904b6b200c98ba987172b5960b1edc8edd70

SHA256
22d00e78cbb5364eac840d4a89b7a01e17590a9454304d1d6e0f8db94161e825

SHA512
d7636dfe18bf5ab87b05ce2515b3d5dc1c89d5afcd4b19a85c33916cd2ebb931911093cacea8e3709dda4d9761864ff2f0c16c986201dc185013f46fc30db62a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WLAV0k.cfg

Filesize
1KB

MD5
857ee6625e7aeb4ae0e31c7bd147ccd9

SHA1
e393904b6b200c98ba987172b5960b1edc8edd70

SHA256
22d00e78cbb5364eac840d4a89b7a01e17590a9454304d1d6e0f8db94161e825

SHA512
d7636dfe18bf5ab87b05ce2515b3d5dc1c89d5afcd4b19a85c33916cd2ebb931911093cacea8e3709dda4d9761864ff2f0c16c986201dc185013f46fc30db62a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WLAV0k.cfg

Filesize
1KB

MD5
857ee6625e7aeb4ae0e31c7bd147ccd9

SHA1
e393904b6b200c98ba987172b5960b1edc8edd70

SHA256
22d00e78cbb5364eac840d4a89b7a01e17590a9454304d1d6e0f8db94161e825

SHA512
d7636dfe18bf5ab87b05ce2515b3d5dc1c89d5afcd4b19a85c33916cd2ebb931911093cacea8e3709dda4d9761864ff2f0c16c986201dc185013f46fc30db62a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WLAV0k.cfg

Filesize
1KB

MD5
857ee6625e7aeb4ae0e31c7bd147ccd9

SHA1
e393904b6b200c98ba987172b5960b1edc8edd70

SHA256
22d00e78cbb5364eac840d4a89b7a01e17590a9454304d1d6e0f8db94161e825

SHA512
d7636dfe18bf5ab87b05ce2515b3d5dc1c89d5afcd4b19a85c33916cd2ebb931911093cacea8e3709dda4d9761864ff2f0c16c986201dc185013f46fc30db62a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WLAV0k.cfg

Filesize
1KB

MD5
857ee6625e7aeb4ae0e31c7bd147ccd9

SHA1
e393904b6b200c98ba987172b5960b1edc8edd70

SHA256
22d00e78cbb5364eac840d4a89b7a01e17590a9454304d1d6e0f8db94161e825

SHA512
d7636dfe18bf5ab87b05ce2515b3d5dc1c89d5afcd4b19a85c33916cd2ebb931911093cacea8e3709dda4d9761864ff2f0c16c986201dc185013f46fc30db62a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WLAV0k.cfg

Filesize
1KB

MD5
857ee6625e7aeb4ae0e31c7bd147ccd9

SHA1
e393904b6b200c98ba987172b5960b1edc8edd70

SHA256
22d00e78cbb5364eac840d4a89b7a01e17590a9454304d1d6e0f8db94161e825

SHA512
d7636dfe18bf5ab87b05ce2515b3d5dc1c89d5afcd4b19a85c33916cd2ebb931911093cacea8e3709dda4d9761864ff2f0c16c986201dc185013f46fc30db62a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WLAV0k.cfg

Filesize
1KB

MD5
857ee6625e7aeb4ae0e31c7bd147ccd9

SHA1
e393904b6b200c98ba987172b5960b1edc8edd70

SHA256
22d00e78cbb5364eac840d4a89b7a01e17590a9454304d1d6e0f8db94161e825

SHA512
d7636dfe18bf5ab87b05ce2515b3d5dc1c89d5afcd4b19a85c33916cd2ebb931911093cacea8e3709dda4d9761864ff2f0c16c986201dc185013f46fc30db62a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WLAV0k.cfg

Filesize
1KB

MD5
857ee6625e7aeb4ae0e31c7bd147ccd9

SHA1
e393904b6b200c98ba987172b5960b1edc8edd70

SHA256
22d00e78cbb5364eac840d4a89b7a01e17590a9454304d1d6e0f8db94161e825

SHA512
d7636dfe18bf5ab87b05ce2515b3d5dc1c89d5afcd4b19a85c33916cd2ebb931911093cacea8e3709dda4d9761864ff2f0c16c986201dc185013f46fc30db62a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WLAV0k.cfg

Filesize
1KB

MD5
857ee6625e7aeb4ae0e31c7bd147ccd9

SHA1
e393904b6b200c98ba987172b5960b1edc8edd70

SHA256
22d00e78cbb5364eac840d4a89b7a01e17590a9454304d1d6e0f8db94161e825

SHA512
d7636dfe18bf5ab87b05ce2515b3d5dc1c89d5afcd4b19a85c33916cd2ebb931911093cacea8e3709dda4d9761864ff2f0c16c986201dc185013f46fc30db62a

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
C:\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
\Users\Admin\AppData\Roaming\SDE\SDE.exe

Filesize
532KB

MD5
80c2838bc5c5ebe29e4f87bc02d0bc01

SHA1
1182ed800987cad18ec1cda2cd9a833e1abd9687

SHA256
eb48d65cd4d30ce8afae1be72c234eff298d3c6cfd20d6bc66f1d16612072cbf

SHA512
70dd7006479c591e478a1165dd1c1a690ea0bcdaa692cccbff5d9d8552c998ff9d842ee4b2ed1f0d35324e5747d910e7b06906ed83b6332b0dd3537eab09edc1

Download Submit
memory/540-174-0x0000000000C94870-mapping.dmp

Download
memory/540-184-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/540-222-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/592-114-0x0000000000000000-mapping.dmp

Download
memory/592-125-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/832-90-0x0000000000C94870-mapping.dmp

Download
memory/832-149-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/832-113-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/936-63-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/936-54-0x0000000075EC1000-0x0000000075EC3000-memory.dmp

Filesize
8KB

Download
memory/936-55-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/956-286-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/956-274-0x0000000000000000-mapping.dmp

Download
memory/956-277-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/964-78-0x0000000000000000-mapping.dmp

Download
memory/964-103-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/964-107-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1048-183-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1048-146-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1048-139-0x0000000000C94870-mapping.dmp

Download
memory/1096-255-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1096-300-0x0000000000C94870-mapping.dmp

Download
memory/1096-326-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1096-202-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1096-193-0x0000000000C94870-mapping.dmp

Download
memory/1096-307-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1292-220-0x0000000000000000-mapping.dmp

Download
memory/1292-232-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1340-252-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1340-245-0x0000000000C94870-mapping.dmp

Download
memory/1340-273-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1344-71-0x0000000000000000-mapping.dmp

Download
memory/1344-72-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1344-164-0x0000000002870000-0x0000000002990000-memory.dmp

Filesize
1.1MB

Download
memory/1344-102-0x0000000002870000-0x0000000002990000-memory.dmp

Filesize
1.1MB

Download
memory/1396-248-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1396-237-0x0000000000000000-mapping.dmp

Download
memory/1404-151-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1404-147-0x0000000000000000-mapping.dmp

Download
memory/1404-160-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1472-59-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1472-75-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1472-65-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1472-68-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1472-61-0x0000000000C94870-mapping.dmp

Download
memory/1472-67-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1472-56-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1472-57-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1472-60-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1472-66-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1472-82-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1512-165-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1512-79-0x0000000000000000-mapping.dmp

Download
memory/1512-201-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1512-157-0x0000000000C94870-mapping.dmp

Download
memory/1512-93-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1532-203-0x0000000000000000-mapping.dmp

Download
memory/1532-214-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1536-185-0x0000000000000000-mapping.dmp

Download
memory/1536-196-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1540-257-0x0000000000000000-mapping.dmp

Download
memory/1540-268-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1580-524-0x0000000000C94870-mapping.dmp

Download
memory/1636-540-0x0000000000C94870-mapping.dmp

Download
memory/1664-283-0x0000000000C94870-mapping.dmp

Download
memory/1664-291-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1664-348-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1732-256-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1732-292-0x0000000000000000-mapping.dmp

Download
memory/1732-211-0x0000000000C94870-mapping.dmp

Download
memory/1732-218-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1732-303-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1752-112-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1752-104-0x0000000000C94870-mapping.dmp

Download
memory/1868-142-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1868-131-0x0000000000000000-mapping.dmp

Download
memory/1924-265-0x0000000000C94870-mapping.dmp

Download
memory/1924-310-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1924-272-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1936-166-0x0000000000000000-mapping.dmp

Download
memory/1936-177-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1952-441-0x0000000000C94870-mapping.dmp

Download
memory/2016-122-0x0000000000C94870-mapping.dmp

Download
memory/2016-130-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2016-179-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2040-236-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2040-229-0x0000000000C94870-mapping.dmp

Download
memory/2040-254-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2052-308-0x0000000000000000-mapping.dmp

Download
memory/2052-321-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2088-317-0x0000000000C94870-mapping.dmp

Download
memory/2088-324-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2088-398-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2160-485-0x0000000000000000-mapping.dmp

Download
memory/2180-339-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2180-327-0x0000000000000000-mapping.dmp

Download
memory/2180-330-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2212-336-0x0000000000C94870-mapping.dmp

Download
memory/2212-343-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2252-452-0x0000000000000000-mapping.dmp

Download
memory/2284-516-0x0000000000000000-mapping.dmp

Download
memory/2332-345-0x0000000000000000-mapping.dmp

Download
memory/2332-357-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2352-460-0x0000000000C94870-mapping.dmp

Download
memory/2368-354-0x0000000000C94870-mapping.dmp

Download
memory/2368-362-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2460-374-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2460-363-0x0000000000000000-mapping.dmp

Download
memory/2476-470-0x0000000000000000-mapping.dmp

Download
memory/2484-478-0x0000000000C94870-mapping.dmp

Download
memory/2488-412-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2488-378-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2488-371-0x0000000000C94870-mapping.dmp

Download
memory/2568-502-0x0000000000000000-mapping.dmp

Download
memory/2632-390-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2632-379-0x0000000000000000-mapping.dmp

Download
memory/2676-399-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2676-387-0x0000000000C94870-mapping.dmp

Download
memory/2744-494-0x0000000000C94870-mapping.dmp

Download
memory/2760-509-0x0000000000C94870-mapping.dmp

Download
memory/2780-408-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2780-395-0x0000000000000000-mapping.dmp

Download
memory/2824-405-0x0000000000C94870-mapping.dmp

Download
memory/2824-532-0x0000000000000000-mapping.dmp

Download
memory/2940-415-0x0000000000000000-mapping.dmp

Download
memory/2972-423-0x0000000000C94870-mapping.dmp

Download
memory/3060-432-0x0000000000000000-mapping.dmp

Download