| File name: | driver_booster_setup.exe |
| Full analysis: | https://app.any.run/tasks/ef91f478-d913-4792-b427-16f095d51a84 |
| Verdict: | Malicious activity |
| Analysis date: | September 15, 2024, 01:57:31 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | E6CE743D5B58B5F1C04ED63B6E9139A1 |
| SHA1: | F4C2E6B974D80BB045CFE6956634A1D38ACDD569 |
| SHA256: | 6C708DEEC6E5FBA99B6DEA92FC604417774B3E6A51AAE24FCFFE2BA1CD96B6A2 |
| SSDEEP: | 196608:i3KmyxpvN/JAFSICqsm2tu9CLqoyP8HOgtCBYuJyF8SqNJXr:Ayh+QqsLU9RVEHSJyF8xNJr |
MALICIOUS
Runs injected code in another process
- ICONPIN64.exe (PID: 4248)
Application was injected by another process
- explorer.exe (PID: 4552)
SUSPICIOUS
Executable content was dropped or overwritten
- driver_booster_setup.exe (PID: 5152)
- driver_booster_setup.exe (PID: 6868)
- driver_booster_setup.tmp (PID: 2992)
- driver_booster_setup.exe (PID: 4132)
- HWiNFO.exe (PID: 6864)
Reads security settings of Internet Explorer
- driver_booster_setup.tmp (PID: 4040)
- driver_booster_setup.tmp (PID: 2992)
Reads the Windows owner or organization settings
- driver_booster_setup.tmp (PID: 2992)
Drops a system driver (possible attempt to evade defenses)
- HWiNFO.exe (PID: 6864)
Searches for installed software
- InstStat.exe (PID: 6992)
- setup.exe (PID: 3660)
INFO
Create files in a temporary directory
- driver_booster_setup.exe (PID: 5152)
- setup.exe (PID: 3660)
- driver_booster_setup.exe (PID: 6868)
- driver_booster_setup.tmp (PID: 2992)
- HWiNFO.exe (PID: 6864)
- ICONPIN64.exe (PID: 4248)
- explorer.exe (PID: 4552)
Checks supported languages
- driver_booster_setup.exe (PID: 5152)
- driver_booster_setup.exe (PID: 6868)
- driver_booster_setup.tmp (PID: 2992)
- setup.exe (PID: 3660)
- HWiNFO.exe (PID: 6864)
- SetupHlp.exe (PID: 6552)
- RttHlp.exe (PID: 2628)
- InstStat.exe (PID: 6992)
- ICONPIN64.exe (PID: 4248)
- driver_booster_setup.tmp (PID: 4040)
Creates files in the program directory
- setup.exe (PID: 3660)
- driver_booster_setup.tmp (PID: 2992)
- SetupHlp.exe (PID: 6552)
- RttHlp.exe (PID: 2628)
- InstStat.exe (PID: 6992)
Creates files or folders in the user directory
- setup.exe (PID: 3660)
- InstStat.exe (PID: 6992)
- explorer.exe (PID: 4552)
Reads the computer name
- setup.exe (PID: 3660)
- driver_booster_setup.tmp (PID: 2992)
- SetupHlp.exe (PID: 6552)
- HWiNFO.exe (PID: 6864)
- InstStat.exe (PID: 6992)
- driver_booster_setup.tmp (PID: 4040)
Reads the machine GUID from the registry
- setup.exe (PID: 3660)
- ICONPIN64.exe (PID: 4248)
- InstStat.exe (PID: 6992)
Sends debugging messages
- setup.exe (PID: 3660)
- explorer.exe (PID: 4552)
- ICONPIN64.exe (PID: 4248)
Creates a software uninstall entry
- driver_booster_setup.tmp (PID: 2992)
Process checks computer location settings
- driver_booster_setup.tmp (PID: 2992)
- driver_booster_setup.tmp (PID: 4040)
The process uses the downloaded file
- driver_booster_setup.tmp (PID: 2992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (42.6) |
|---|---|---|
| .exe | | | Win16/32 Executable Delphi generic (19.5) |
| .exe | | | Generic Win/DOS Executable (18.9) |
| .exe | | | DOS Executable Generic (18.9) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:06:14 13:27:46+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 66560 |
| InitializedDataSize: | 71680 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1181c |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 12.0.0.308 |
| ProductVersionNumber: | 12.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | IObit |
| FileDescription: | Driver Booster 12 Setup |
| FileVersion: | 12.0.0.308 |
| LegalCopyright: | © IObit. All rights reserved. |
| ProductName: | Driver Booster 12 |
| ProductVersion: | 12.0 |
Total processes
126
Monitored processes
12
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2628 | "C:\Program Files (x86)\IObit\Driver Booster\12.0.0\RttHlp.exe" /winstdate | C:\Program Files (x86)\IObit\Driver Booster\12.0.0\RttHlp.exe | — | SetupHlp.exe | |||||||||||
User: admin Company: IObit Integrity Level: HIGH Description: IObit RttHlp Exit code: 0 Version: 12.0.0.3 Modules
| |||||||||||||||
| 2992 | "C:\Users\admin\AppData\Local\Temp\is-N3OHR.tmp\driver_booster_setup.tmp" /SL5="$801F4,31285930,139264,C:\Users\admin\Desktop\driver_booster_setup.exe" /sp- /verysilent /Installer /norestart /DIR="C:\Program Files (x86)\IObit\Driver Booster" /Installer-DeskIcon /Installer-TaskIcon | C:\Users\admin\AppData\Local\Temp\is-N3OHR.tmp\driver_booster_setup.tmp | driver_booster_setup.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 3660 | "C:\Users\admin\AppData\Local\Temp\is-8VGPF.tmp-dbinst\setup.exe" "C:\Users\admin\Desktop\driver_booster_setup.exe" /title="Driver Booster 12" /dbver=12.0.0.308 /eula="C:\Users\admin\AppData\Local\Temp\is-8VGPF.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt | C:\Users\admin\AppData\Local\Temp\is-8VGPF.tmp-dbinst\setup.exe | driver_booster_setup.tmp | ||||||||||||
User: admin Company: IObit Integrity Level: HIGH Description: Driver Booster Installer Version: 12.0.0.71 Modules
| |||||||||||||||
| 4040 | "C:\Users\admin\AppData\Local\Temp\is-HJ1KA.tmp\driver_booster_setup.tmp" /SL5="$503A8,31285930,139264,C:\Users\admin\Desktop\driver_booster_setup.exe" | C:\Users\admin\AppData\Local\Temp\is-HJ1KA.tmp\driver_booster_setup.tmp | — | driver_booster_setup.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 1 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 4132 | "C:\Users\admin\Desktop\driver_booster_setup.exe" /SPAWNWND=$140296 /NOTIFYWND=$503A8 | C:\Users\admin\Desktop\driver_booster_setup.exe | driver_booster_setup.tmp | ||||||||||||
User: admin Company: IObit Integrity Level: HIGH Description: Driver Booster 12 Setup Exit code: 1 Version: 12.0.0.308 | |||||||||||||||
| 4248 | "C:\Program Files (x86)\IObit\Driver Booster\12.0.0\TaskbarPin\ICONPIN64.exe" pin "C:\Program Files (x86)\IObit\Driver Booster\12.0.0\DriverBooster.exe" | C:\Program Files (x86)\IObit\Driver Booster\12.0.0\TaskbarPin\ICONPIN64.exe | driver_booster_setup.tmp | ||||||||||||
User: admin Company: IObit Integrity Level: HIGH Description: Icon Pin Exit code: 0 Version: 1.0.0.22 Modules
| |||||||||||||||
| 4552 | C:\WINDOWS\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5152 | "C:\Users\admin\Desktop\driver_booster_setup.exe" | C:\Users\admin\Desktop\driver_booster_setup.exe | explorer.exe | ||||||||||||
User: admin Company: IObit Integrity Level: MEDIUM Description: Driver Booster 12 Setup Exit code: 1 Version: 12.0.0.308 Modules
| |||||||||||||||
| 6552 | "C:\Program Files (x86)\IObit\Driver Booster\12.0.0\SetupHlp.exe" /install /setup="C:\Users\admin\Desktop\driver_booster_setup.exe" | C:\Program Files (x86)\IObit\Driver Booster\12.0.0\SetupHlp.exe | — | driver_booster_setup.tmp | |||||||||||
User: admin Company: IObit Integrity Level: HIGH Description: Driver Booster Setup Helper Exit code: 0 Version: 12.0.0.27 Modules
| |||||||||||||||
| 6864 | "C:\Program Files (x86)\IObit\Driver Booster\12.0.0\HWiNFO\HWiNFO.exe" /brandname | C:\Program Files (x86)\IObit\Driver Booster\12.0.0\HWiNFO\HWiNFO.exe | driver_booster_setup.tmp | ||||||||||||
User: admin Company: IObit Integrity Level: HIGH Description: Hardware Information Exit code: 0 Version: 12.0.0.21 Modules
| |||||||||||||||
Total events
3 854
Read events
3 793
Write events
54
Delete events
7
Modification events
| (PID) Process: | (4552) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000802A6 |
| Operation: | write | Name: | VirtualDesktop |
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2 | |||
| (PID) Process: | (4552) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E035E |
| Operation: | write | Name: | VirtualDesktop |
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2 | |||
| (PID) Process: | (4552) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060280 |
| Operation: | write | Name: | VirtualDesktop |
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2 | |||
| (PID) Process: | (4552) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060280 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4552) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E035E |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4552) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000802A6 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4552) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000903DC |
| Operation: | write | Name: | VirtualDesktop |
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2 | |||
| (PID) Process: | (4552) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000603A0 |
| Operation: | write | Name: | VirtualDesktop |
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2 | |||
| (PID) Process: | (4552) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000603A0 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2992) driver_booster_setup.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Driver Booster_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 5.6.1 (u) | |||
Executable files
146
Suspicious files
37
Text files
370
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4552 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat | binary | |
MD5:E49C56350AEDF784BFE00E444B879672 | SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E | |||
| 3660 | setup.exe | C:\Users\admin\AppData\Local\Temp\1726365480\UKRAINIAN.lng | text | |
MD5:0117AEAA85E9BB792C58E45727A400CC | SHA256:6E90FD2F7E76BF7D2940FD4BA74E47B2846CAAF70E21996BAE5F681F92B041B6 | |||
| 3660 | setup.exe | C:\Users\admin\AppData\Local\Temp\1726365480\SLOVAK.lng | text | |
MD5:1E4A5A9DCF71B5E452893BCA4DDEA73D | SHA256:F797AEF2F6601A8CE4B350853DFB485BB211337A1C024F4E317CDA2211772D9C | |||
| 3660 | setup.exe | C:\Users\admin\AppData\Local\Temp\1726365480\TURKISH.lng | text | |
MD5:5BBDD60608593241E4336E61A3914403 | SHA256:0535529B4E4D776F6A25DC4DA296B37CE8C4D82E354EEB21D995E14D5E9AC45F | |||
| 3660 | setup.exe | C:\Users\admin\AppData\Local\Temp\1726365480\SPANISH.lng | text | |
MD5:867CD8AA7732CD1F38E8E0B84117CAAE | SHA256:5A325C796842A4941408B4A0942397610958BBD0AC0E8A95483E9FC15275EBED | |||
| 3660 | setup.exe | C:\Users\admin\AppData\Local\Temp\1726365480\SLOVENIAN.lng | text | |
MD5:AF66BCE0187F375F253E634786984A08 | SHA256:6C4F458236732C1D91AC4BC2388BA353AB18C01A9EA83361353C9DC8C36EEAB2 | |||
| 4132 | driver_booster_setup.exe | C:\Users\admin\AppData\Local\Temp\is-J2N5T.tmp\driver_booster_setup.tmp | executable | |
MD5:048F89F1BE0CE17F10350B121C08B6BD | SHA256:8DFC033FF5A1EBAC9282F15F14AB048B73FB058FEC927A1F5D188A359315C6EB | |||
| 3660 | setup.exe | C:\Users\admin\AppData\Local\Temp\1726365480\SERBIANLATIN.lng | text | |
MD5:60DC704109B83A4DAD607376929DCBF0 | SHA256:B80CB192E2CC3E95F20B1BC8CD1D80C1F779EA70D35AABA5F6ED0A56303E0052 | |||
| 3660 | setup.exe | C:\Users\admin\AppData\Local\Temp\1726365480\ROMANIAN.lng | text | |
MD5:BEEFB79439AE0EC7C554D7F9A7C112C1 | SHA256:E78BEEEAE25DCA6190001233FAE53688B170446D5D596F68C640262594EE0807 | |||
| 3660 | setup.exe | C:\Users\admin\AppData\Local\Temp\1726365480\ITALIAN.lng | text | |
MD5:5C99CE912B92466BD57C7D10546262A2 | SHA256:DD4A8A6D68AB914F54EA9B47BF5F3BDA8989695ADC9A7787FCCCC220253B98EB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
25
DNS requests
6
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
608 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2120 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 206 | 152.199.20.140:443 | https://update.iobit.com/infofiles/db/rmd/install_cfg_n.zlb | unknown | binary | 99.7 Kb | — |
— | — | GET | 206 | 152.199.20.140:443 | https://update.iobit.com/infofiles/db/rmd/install_cfg_n.zlb | unknown | binary | 99.7 Kb | — |
— | — | GET | 200 | 152.199.20.140:443 | https://update.iobit.com/infofiles/db/rmd/install_cfg_n.zlb | unknown | binary | 398 Kb | — |
— | — | GET | 206 | 152.199.20.140:443 | https://update.iobit.com/infofiles/db/rmd/install_cfg_n.zlb | unknown | binary | 99.7 Kb | — |
— | — | GET | 206 | 152.199.20.140:443 | https://update.iobit.com/infofiles/db/rmd/install_cfg_n.zlb | unknown | binary | 99.7 Kb | — |
— | — | GET | 200 | 152.199.20.140:443 | https://update.iobit.com/infofiles/ac/appver-ac.upt | unknown | ini | 851 b | — |
— | — | GET | 200 | 52.45.90.92:443 | https://stats.iobit.com/install.php?operate=1&user=1&app=db12&ver=12.0.0.308&pr=iobit&system=100&type=1&lang=en-US&geo=1033&insur=other | unknown | text | 19 b | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
608 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
— | — | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
2120 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
— | — | 20.49.150.241:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | GB | whitelisted |
— | — | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3660 | setup.exe | 152.199.20.140:443 | update.iobit.com | EDGECAST | US | whitelisted |
6992 | InstStat.exe | 52.45.90.92:443 | stats.iobit.com | AMAZON-AES | US | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
update.iobit.com |
| whitelisted |
stats.iobit.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potentially Bad Traffic | ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) |
— | — | Potentially Bad Traffic | ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) |
— | — | Potentially Bad Traffic | ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) |
— | — | Potentially Bad Traffic | ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) |
— | — | Potentially Bad Traffic | ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) |
— | — | Potentially Bad Traffic | ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) |
— | — | Potentially Bad Traffic | ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) |
Process | Message |
|---|---|
setup.exe | time1 |
setup.exe | doFinshedEvent_Freeware 0 |
setup.exe | time3 |
setup.exe | Order: itop |
setup.exe | ProductVersion: 12.0.0.308 |
setup.exe | Chk_ver_min |
setup.exe | Chk_ver_max |
setup.exe | CheckSameVerList |
setup.exe | CheckLicense |
setup.exe | chk_os_ver 110;100;63;62;61 |