Technical Information
To ensure autorun and distribution:
Modifies the following registry keys:
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 's' = 'wscript.exe //B "%APPDATA%\s.VBS"'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 's' = 'wscript.exe //B "%APPDATA%\s.VBS"'
Creates or modifies the following files:
- %HOMEPATH%\Start Menu\Programs\Startup\s.VBS
Creates the following files on removable media:
- <Drive name for removable media>:\s.VBS
Modifies file system:
Creates the following files:
- %TEMP%\$inst\2.tmp
- %TEMP%\43311.4323384954\ROMANIAN.lng
- %TEMP%\43311.4323384954\PORTUGUESEPTBR.lng
- %TEMP%\43311.4323384954\NORWEGIAN.lng
- %TEMP%\43311.4323384954\MALTESE.lng
- %TEMP%\43311.4323384954\KOREAN.lng
- %TEMP%\43311.4323384954\JAPANESE.lng
- %TEMP%\43311.4323384954\ITALIAN.lng
- %TEMP%\43311.4323384954\HEBREW.lng
- %TEMP%\43311.4323384954\GERMAN.lng
- %TEMP%\43311.4323384954\GEORGIAN.lng
- %TEMP%\43311.4323384954\FRENCH.lng
- %TEMP%\is-P966O.tmp\DriverBooster.exe
- %TEMP%\43311.4323384954\FINNISH.lng
- %TEMP%\43311.4323384954\DUTCH.lng
- %TEMP%\43311.4323384954\CZECH.lng
- %TEMP%\43311.4323384954\CHINESETRADITIONAL.lng
- %TEMP%\43311.4323384954\CHINESESIMPLIFIED.lng
- %TEMP%\43311.4323384954\BOSNIAN.lng
- %TEMP%\43311.4323384954\ALBANIAN.lng
- %TEMP%\43311.4323384954\CATALAN.lng
- %TEMP%\43311.4323384954\CROATIAN.lng
- %TEMP%\43311.4323384954\PERSIAN.lng
- %TEMP%\43311.4323384954\BELARUSIAN.lng
- %TEMP%\43311.4323384954\ARABIC.lng
- %TEMP%\43311.4323384954\SERBIANCYRILLIC.lng
- %TEMP%\43311.4323384954\RUSSIAN.lng
- %TEMP%\43311.4323384954\SERBIANLATIN.lng
- %TEMP%\43311.4323384954\SLOVAK.lng
- %TEMP%\43311.4323384954\SLOVENIAN.lng
- <SYSTEM32>\s.VBS
- %ProgramFiles%\driver_booster_setup.exe
- %TEMP%\$inst\0001.tmp
- %TEMP%\$inst\0002.tmp
- %ProgramFiles%\IObit\driver_booster_setup\Uninstall.exe
- %ProgramFiles%\IObit\driver_booster_setup\Uninstall.ini
- %TEMP%\is-25MN1.tmp\driver_booster_setup.tmp
- %TEMP%\Setup Log 2018-07-30 #001.txt
- %APPDATA%\s.VBS
- %TEMP%\is-P966O.tmp\RdZone.dll
- %TEMP%\is-P966O.tmp\Inno_English.lng
- %TEMP%\43311.4323384954\KURDISHSORANI.lng
- %TEMP%\43311.4323384954\ENGLISH.lng
- %TEMP%\is-P966O.tmp\Icon_1.bmp
- %TEMP%\is-P966O.tmp-dbinst\TaskMgr.dll
- %TEMP%\is-P966O.tmp\EULA.rtf
- %TEMP%\is-P966O.tmp-dbinst\EULA.rtf
- %TEMP%\is-P966O.tmp\DBInstaller.exe
- %TEMP%\is-P966O.tmp-dbinst\setup.exe
- %TEMP%\43311.4323384954\VIETNAMESE.lng
- %TEMP%\43311.4323384954\UKRAINIAN.lng
- %TEMP%\43311.4323384954\TURKISH.lng
- %TEMP%\43311.4323384954\THAI.lng
- %TEMP%\43311.4323384954\SWEDISH.lng
- %TEMP%\43311.4323384954\SPANISH.lng
- %TEMP%\$inst\temp_0.tmp
- %TEMP%\is-P966O.tmp\TaskMgr.dll
- %TEMP%\43311.4323384954\GREEK.lng
Sets the 'hidden' attribute to the following files:
- <Drive name for removable media>:\s.VBS
Deletes the following files:
- %TEMP%\$inst\temp_0.tmp
- %TEMP%\$inst\0001.tmp
- %TEMP%\$inst\0002.tmp
- %TEMP%\$inst\2.tmp
- %TEMP%\is-P966O.tmp\DBInstaller.exe
- %TEMP%\is-P966O.tmp\DriverBooster.exe
- %TEMP%\is-P966O.tmp\EULA.rtf
- %TEMP%\is-P966O.tmp\Icon_1.bmp
- %TEMP%\is-P966O.tmp\Inno_English.lng
- %TEMP%\is-P966O.tmp\RdZone.dll
- %TEMP%\is-P966O.tmp\TaskMgr.dll
- %TEMP%\is-25MN1.tmp\driver_booster_setup.tmp
Network activity:
Connects to:
- 'localhost':1036
- 'fa#####ssin22.ddns.net':1188
UDP:
- DNS ASK fa#####ssin22.ddns.net
Miscellaneous:
Creates and executes the following:
- '<SYSTEM32>\wscript.exe' "<SYSTEM32>\s.VBS"
- '%ProgramFiles%\driver_booster_setup.exe'
- '%TEMP%\is-25MN1.tmp\driver_booster_setup.tmp' /SL5="$10142,18489280,141824,%ProgramFiles%\driver_booster_setup.exe"
- '<SYSTEM32>\wscript.exe' //B "%APPDATA%\s.VBS"
- '%TEMP%\is-P966O.tmp-dbinst\setup.exe' "%ProgramFiles%\driver_booster_setup.exe" /title="Driver Booster 5" /dbver=5.1.0.488 /eula="%TEMP%\is-P966O.tmp-dbinst\EULA.rtf" /pmt /dashlane
