| URL: | https://cdn1.filehaus.su/files/1716606308_24426/iobit_driver_booster_11.4.0.60.zip |
| Full analysis: | https://app.any.run/tasks/8dd0aab4-0d93-4a02-84dd-2a80ba55a187 |
| Verdict: | Malicious activity |
| Analysis date: | May 25, 2024, 03:06:24 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MD5: | D672E2FECDD2AE672C6ADC28A2887032 |
| SHA1: | 66C17758D8B0D16EA59F6864AB69734FDD412981 |
| SHA256: | AAA00FD8A6338F3B6E184EE582DE2D482AAD4C5CC3906AF9CE9A713E23A5321F |
| SSDEEP: | 3:N8cODcQvfUnf5d3WlKWRpUULRLVhc:2cscqad3WlDDRhW |
MALICIOUS
Drops the executable file immediately after the start
- IObit Driver Booster 11.4.0.60.exe (PID: 2740)
- HWiNFO.exe (PID: 1248)
- IObit Driver Booster 11.4.0.60.tmp (PID: 2668)
SUSPICIOUS
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 1280)
- DriverBooster.exe (PID: 3616)
Executable content was dropped or overwritten
- IObit Driver Booster 11.4.0.60.exe (PID: 2740)
- IObit Driver Booster 11.4.0.60.tmp (PID: 2668)
- HWiNFO.exe (PID: 1248)
Reads the Windows owner or organization settings
- IObit Driver Booster 11.4.0.60.tmp (PID: 2668)
Process drops legitimate windows executable
- IObit Driver Booster 11.4.0.60.tmp (PID: 2668)
Drops 7-zip archiver for unpacking
- IObit Driver Booster 11.4.0.60.tmp (PID: 2668)
Process drops SQLite DLL files
- IObit Driver Booster 11.4.0.60.tmp (PID: 2668)
Reads the Internet Settings
- IObit Driver Booster 11.4.0.60.tmp (PID: 2668)
- DriverBooster.exe (PID: 3616)
Uses REG/REGEDIT.EXE to modify registry
- IObit Driver Booster 11.4.0.60.tmp (PID: 2668)
Drops a system driver (possible attempt to evade defenses)
- HWiNFO.exe (PID: 1248)
Starts CMD.EXE for commands execution
- DriverBooster.exe (PID: 3616)
The process executes via Task Scheduler
- DriverBooster.exe (PID: 3820)
INFO
Reads the computer name
- wmpnscfg.exe (PID: 2464)
- IObit Driver Booster 11.4.0.60.tmp (PID: 2668)
- SetupHlp.exe (PID: 3000)
- HWiNFO.exe (PID: 1248)
- DriverBooster.exe (PID: 3616)
- DriverBooster.exe (PID: 3820)
Application launched itself
- msedge.exe (PID: 3984)
- msedge.exe (PID: 2904)
Drops the executable file immediately after the start
- msedge.exe (PID: 2040)
- msedge.exe (PID: 3984)
- WinRAR.exe (PID: 1280)
Manual execution by a user
- wmpnscfg.exe (PID: 2464)
- DriverBooster.exe (PID: 3616)
Checks supported languages
- wmpnscfg.exe (PID: 2464)
- IObit Driver Booster 11.4.0.60.exe (PID: 2740)
- IObit Driver Booster 11.4.0.60.tmp (PID: 2668)
- HWiNFO.exe (PID: 1248)
- SetupHlp.exe (PID: 3000)
- RttHlp.exe (PID: 3288)
- DriverBooster.exe (PID: 3820)
- DriverBooster.exe (PID: 3616)
- Manta.exe (PID: 1936)
- AutoUpdate.exe (PID: 2336)
- RttHlp.exe (PID: 2340)
- Manta.exe (PID: 2448)
- Manta.exe (PID: 992)
The process uses the downloaded file
- msedge.exe (PID: 1568)
- WinRAR.exe (PID: 1280)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 1280)
Create files in a temporary directory
- IObit Driver Booster 11.4.0.60.exe (PID: 2740)
- IObit Driver Booster 11.4.0.60.tmp (PID: 2668)
- HWiNFO.exe (PID: 1248)
Creates a software uninstall entry
- IObit Driver Booster 11.4.0.60.tmp (PID: 2668)
Creates files or folders in the user directory
- IObit Driver Booster 11.4.0.60.tmp (PID: 2668)
- DriverBooster.exe (PID: 3820)
Creates files in the program directory
- SetupHlp.exe (PID: 3000)
- IObit Driver Booster 11.4.0.60.tmp (PID: 2668)
- RttHlp.exe (PID: 3288)
- DriverBooster.exe (PID: 3820)
Reads the machine GUID from the registry
- SetupHlp.exe (PID: 3000)
- DriverBooster.exe (PID: 3820)
Reads CPU info
- DriverBooster.exe (PID: 3820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
83
Monitored processes
44
Malicious processes
4
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 524 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2204 --field-trial-handle=1328,i,12563438504894062406,7155727255082959443,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 992 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4188 --field-trial-handle=1328,i,12563438504894062406,7155727255082959443,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 992 | "C:\Program Files\IObit\Driver Booster\Manta.exe" /CommStat /DoCommStat /Code="B100" /Days=7 | C:\Program Files\IObit\Driver Booster\Manta.exe | DriverBooster.exe | ||||||||||||
User: admin Company: IObit Integrity Level: HIGH Description: Manta Exit code: 0 Version: 11.2.0.11 Modules
| |||||||||||||||
| 1044 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4236 --field-trial-handle=1328,i,12563438504894062406,7155727255082959443,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1056 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2224 --field-trial-handle=1328,i,12563438504894062406,7155727255082959443,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1248 | "C:\Program Files\IObit\Driver Booster\HWiNFO\HWiNFO.exe" /brandname | C:\Program Files\IObit\Driver Booster\HWiNFO\HWiNFO.exe | IObit Driver Booster 11.4.0.60.tmp | ||||||||||||
User: admin Company: IObit Integrity Level: HIGH Description: Hardware Information Exit code: 0 Version: 8.0.0.10 Modules
| |||||||||||||||
| 1280 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\iobit_driver_booster_11.4.0.60.zip" | C:\Program Files\WinRAR\WinRAR.exe | msedge.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 1568 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3260 --field-trial-handle=1328,i,12563438504894062406,7155727255082959443,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1796 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3360 --field-trial-handle=1328,i,12563438504894062406,7155727255082959443,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1832 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4280 --field-trial-handle=1328,i,12563438504894062406,7155727255082959443,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
Total events
15 258
Read events
15 112
Write events
128
Delete events
18
Modification events
| (PID) Process: | (3984) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (3984) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (3984) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: | |||
| (PID) Process: | (3984) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: 01000000 | |||
| (PID) Process: | (3984) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (3984) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} |
| Operation: | write | Name: | dr |
Value: 1 | |||
| (PID) Process: | (3984) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge\StabilityMetrics |
| Operation: | write | Name: | user_experience_metrics.stability.exited_cleanly |
Value: 0 | |||
| (PID) Process: | (3984) msedge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault |
| Operation: | write | Name: | S-1-5-21-1302019708-1500728564-335382590-1000 |
Value: 7565E2DAD4772F00 | |||
| (PID) Process: | (3984) msedge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\FirstNotDefault |
| Operation: | delete value | Name: | S-1-5-21-1302019708-1500728564-335382590-1000 |
Value: | |||
| (PID) Process: | (3984) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge |
| Operation: | write | Name: | UsageStatsInSample |
Value: 1 | |||
Executable files
111
Suspicious files
119
Text files
315
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3984 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF104846.TMP | — | |
MD5:— | SHA256:— | |||
| 3984 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3984 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF104865.TMP | — | |
MD5:— | SHA256:— | |||
| 3984 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3984 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF10495f.TMP | — | |
MD5:— | SHA256:— | |||
| 3984 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3984 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\269562de-0e42-469e-9425-71ea047629e2.tmp | binary | |
MD5:5058F1AF8388633F609CADB75A75DC9D | SHA256:— | |||
| 3984 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat | binary | |
MD5:A6EBC0D32A7B9304824D19DB63B4E37A | SHA256:E991057C2B1718A151C5FD06E1C153F57130D195454A1F94C8C4C20971697093 | |||
| 3984 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old | text | |
MD5:4BDB64FCF217848BCEEF4FF1723E32A0 | SHA256:6DB71689542AA54221535B9135FD82321DFE987612818B1D3BBA1629C4DC2F63 | |||
| 3984 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG.old | text | |
MD5:2B5B565981E1565368EC9935843BD794 | SHA256:E98D615C43993262B2C3058F9E445BA09A496ED4CEE663371CABD0600CBBF122 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
42
DNS requests
50
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2040 | msedge.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3984 | msedge.exe | 239.255.255.250:1900 | — | — | — | unknown |
2040 | msedge.exe | 13.107.21.239:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
2040 | msedge.exe | 89.213.174.100:443 | cdn1.filehaus.su | GCI Network Solutions Limited | GB | unknown |
2040 | msedge.exe | 152.199.21.175:443 | msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com | EDGECAST | DE | whitelisted |
2040 | msedge.exe | 204.79.197.239:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
3984 | msedge.exe | 224.0.0.251:5353 | — | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
config.edge.skype.com |
| whitelisted |
cdn1.filehaus.su |
| unknown |
edge.microsoft.com |
| whitelisted |
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
lrepacks.net |
| unknown |
sheisnotateacher.com |
| unknown |
lrepacks.ru |
| whitelisted |
translate.google.com |
| whitelisted |
waitheja.net |
| unknown |
Threats
Process | Message |
|---|---|
regedit.exe | REGEDIT: CreateFile failed, GetLastError() = 2
|
msedge.exe | [0525/040721.785:ERROR:exception_handler_server.cc(527)] ConnectNamedPipe: The pipe is being closed. (0xE8)
|
DriverBooster.exe | FormResize |
DriverBooster.exe | AdapterRAM:NULL |
DriverBooster.exe | InstanceAcceleratorCapabilities;AdapterCompatibility;AdapterDACType;AdapterRAM;Availability;CapabilityDescriptions;Caption;ColorTableEntries;ConfigManagerErrorCode;ConfigManagerUserConfig;CreationClassName;CurrentBitsPerPixel;CurrentHorizontalResolution;CurrentNumberOfColors;CurrentNumberOfColumns;CurrentNumberOfRows;CurrentRefreshRate;CurrentScanMode;CurrentVerticalResolution;Description;DeviceID;DeviceSpecificPens;DitherType;DriverDate;DriverVersion;ErrorCleared;ErrorDescription;ICMIntent;ICMMethod;InfFilename;InfSection;InstallDate;InstalledDisplayDrivers;LastErrorCode;MaxMemorySupported;MaxNumberControlled;MaxRefreshRate;MinRefreshRate;Monochrome;Name;NumberOfColorPlanes;NumberOfVideoPages;PNPDeviceID;PowerManagementCapabilities;PowerManagementSupported;ProtocolSupported;ReservedSystemPaletteEntries;SpecificationVersion;Status;StatusInfo;SystemCreationClassName;SystemName;SystemPaletteEntries;TimeOfLastReset;VideoArchitecture;VideoMemoryType;VideoMode;VideoModeDescription;VideoProcessor; |
DriverBooster.exe | 1;NULL;(Standard display types);NULL;NULL;8;NULL;Standard VGA Graphics Adapter;NULL;0;False;Win32_VideoController;NULL;NULL;NULL;NULL;NULL;NULL;NULL;NULL;Standard VGA Graphics Adapter;VideoController1;NULL;NULL;20060621000000.000000-000;6.1.7600.16385;NULL;NULL;NULL;NULL;display.inf;vga;NULL;NULL;NULL;NULL;NULL;NULL;NULL;False;Standard VGA Graphics Adapter;NULL;NULL;PCI\VEN_1234&DEV_1111&SUBSYS_11001AF4&REV_02\3&13C0B0C5&0&10;NULL;NULL;NULL;NULL;NULL;OK;NULL;Win32_ComputerSystem;USER-PC;NULL;NULL;5;2;NULL;NULL;NULL; |
DriverBooster.exe | ChkFullScrn focus ARect.Bottom = 696 |
DriverBooster.exe | [ Focus.dll ] PopConditionMet MyCfg.AutoFocus = -1 |
DriverBooster.exe | [ Focus.dll ] PopConditionMet MyCfg.Path = C:\Users\admin\AppData\Roaming\IObit\Driver Booster\Config.ini |
DriverBooster.exe | Size lessthan Screen |