Trojan.DownLoader47.32850

Technical Information

Malicious functions

Downloads and executes

https://saopaulo777bet.com/test.exe as %appdata%\test.exe

Launches a large number of processes

Modifies file system

Creates the following files

%APPDATA%\test.exe
%TEMP%\90ba.tmp\90bb.tmp\90bc.bat
%TEMP%\88de.tmp\88df.tmp\88e0.bat
%TEMP%\80e2.tmp\80e3.tmp\80e4.bat
%TEMP%\7934.tmp\7935.tmp\7936.bat
%TEMP%\71a6.tmp\7233.tmp\7263.bat
%TEMP%\696c.tmp\696d.tmp\696e.bat
%TEMP%\622c.tmp\626b.tmp\626c.bat
%TEMP%\59d2.tmp\59e3.tmp\59f4.bat
%TEMP%\51d7.tmp\51d8.tmp\51d9.bat
%TEMP%\4ac5.tmp\4ad6.tmp\4ad7.bat
%TEMP%\41d0.tmp\41d1.tmp\41d2.bat
%TEMP%\39d4.tmp\39d5.tmp\3a15.bat
%TEMP%\31aa.tmp\31ab.tmp\31ac.bat
%TEMP%\28f3.tmp\2923.tmp\2982.bat
%TEMP%\1fb0.tmp\1fb1.tmp\1fb2.bat
%TEMP%\16da.tmp\16db.tmp\16ec.bat
%TEMP%\e14.tmp\e15.tmp\e25.bat
%TEMP%\5ba.tmp\5cb.tmp\639.bat
%TEMP%\fd61.tmp\fd62.tmp\fd63.bat
%TEMP%\f546.tmp\f547.tmp\f548.bat
%TEMP%\ed5a.tmp\ed5b.tmp\ed6c.bat
%TEMP%\e61a.tmp\e61b.tmp\e61c.bat
%TEMP%\a16d.tmp\a16e.tmp\a16f.bat
%TEMP%\9829.tmp\982a.tmp\983b.bat
%TEMP%\9fb8.tmp\9fb9.tmp\9fba.bat

Deletes the following files

%TEMP%\a16d.tmp\a16e.tmp\a16f.bat
%TEMP%\90ba.tmp\90bb.tmp\90bc.bat
%TEMP%\88de.tmp\88df.tmp\88e0.bat
%TEMP%\80e2.tmp\80e3.tmp\80e4.bat
%TEMP%\7934.tmp\7935.tmp\7936.bat
%TEMP%\71a6.tmp\7233.tmp\7263.bat
%TEMP%\696c.tmp\696d.tmp\696e.bat
%TEMP%\622c.tmp\626b.tmp\626c.bat
%TEMP%\59d2.tmp\59e3.tmp\59f4.bat
%TEMP%\51d7.tmp\51d8.tmp\51d9.bat
%TEMP%\4ac5.tmp\4ad6.tmp\4ad7.bat
%TEMP%\9829.tmp\982a.tmp\983b.bat
%TEMP%\41d0.tmp\41d1.tmp\41d2.bat
%TEMP%\31aa.tmp\31ab.tmp\31ac.bat
%TEMP%\28f3.tmp\2923.tmp\2982.bat
%TEMP%\1fb0.tmp\1fb1.tmp\1fb2.bat
%TEMP%\16da.tmp\16db.tmp\16ec.bat
%TEMP%\e14.tmp\e15.tmp\e25.bat
%TEMP%\5ba.tmp\5cb.tmp\639.bat
%TEMP%\fd61.tmp\fd62.tmp\fd63.bat
%TEMP%\f546.tmp\f547.tmp\f548.bat
%TEMP%\ed5a.tmp\ed5b.tmp\ed6c.bat
%TEMP%\e61a.tmp\e61b.tmp\e61c.bat
%TEMP%\39d4.tmp\39d5.tmp\3a15.bat
%TEMP%\9fb8.tmp\9fb9.tmp\9fba.bat

Miscellaneous

Searches for the following windows

ClassName: 'EDIT' WindowName: ''

Creates and executes the following

'%APPDATA%\test.exe'

Executes the following

'<SYSTEM32>\cmd.exe' /c "%TEMP%\A16D.tmp\A16E.tmp\A16F.bat %APPDATA%\test.EXE"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\DB03.tmp\DB04.tmp\DB14.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\D4FA.tmp\D4FB.tmp\D4FC.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\CF21.tmp\CF22.tmp\CF23.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\C8BB.tmp\C8BC.tmp\C8CC.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\C283.tmp\C284.tmp\C285.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\BC2D.tmp\BC2E.tmp\BC2F.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\B5F6.tmp\B5F7.tmp\B607.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\A7E2.tmp\A802.tmp\A803.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\9FB8.tmp\9FB9.tmp\9FBA.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\9829.tmp\982A.tmp\983B.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\90BA.tmp\90BB.tmp\90BC.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\E13A.tmp\E13B.tmp\E13C.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\80E2.tmp\80E3.tmp\80E4.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\52E0.tmp\52E1.tmp\52F2.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\7934.tmp\7935.tmp\7936.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\E781.tmp\E791.tmp\E792.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\2C2E.tmp\2C3F.tmp\2C40.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\F334.tmp\F335.tmp\F345.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\4C3C.tmp\4C4C.tmp\4C4D.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\4624.tmp\4625.tmp\4626.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\3F9E.tmp\3FAF.tmp\3FB0.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\3948.tmp\3959.tmp\395A.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\3246.tmp\3247.tmp\3248.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\2616.tmp\2617.tmp\2628.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\ED99.tmp\EDA9.tmp\EDAA.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\88DE.tmp\88DF.tmp\88E0.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\1A82.tmp\1A83.tmp\1A84.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\E14.tmp\E15.tmp\E25.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\C5F.tmp\C60.tmp\C70.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\5E9.tmp\5EA.tmp\5FB.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\FF64.tmp\FF65.tmp\FF66.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\F92D.tmp\F92E.tmp\F93E.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\203C.tmp\203D.tmp\204E.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\71A6.tmp\7233.tmp\7263.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\696C.tmp\696D.tmp\696E.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\FD61.tmp\FD62.tmp\FD63.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\41D0.tmp\41D1.tmp\41D2.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\16DA.tmp\16DB.tmp\16EC.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\5BA.tmp\5CB.tmp\639.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\AF51.tmp\AF52.tmp\AF53.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\F546.tmp\F547.tmp\F548.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\31AA.tmp\31AB.tmp\31AC.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\51D7.tmp\51D8.tmp\51D9.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\ED5A.tmp\ED5B.tmp\ED6C.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\147A.tmp\147B.tmp\148B.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\39D4.tmp\39D5.tmp\3A15.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\59D2.tmp\59E3.tmp\59F4.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\28F3.tmp\2923.tmp\2982.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\E61A.tmp\E61B.tmp\E61C.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\622C.tmp\626B.tmp\626C.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\1FB0.tmp\1FB1.tmp\1FB2.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\4AC5.tmp\4AD6.tmp\4AD7.bat %APPDATA%\Test.exe"
'<SYSTEM32>\cmd.exe' /c "%TEMP%\1A82.tmp\1A83.tmp\1A84.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\203C.tmp\203D.tmp\204E.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\5E9.tmp\5EA.tmp\5FB.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\F92D.tmp\F92E.tmp\F93E.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\147A.tmp\147B.tmp\148B.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\C5F.tmp\C60.tmp\C70.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\FF64.tmp\FF65.tmp\FF66.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\5BA.tmp\5CB.tmp\639.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\F546.tmp\F547.tmp\F548.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\E14.tmp\E15.tmp\E25.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\622C.tmp\626B.tmp\626C.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\ED99.tmp\EDA9.tmp\EDAA.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\ED5A.tmp\ED5B.tmp\ED6C.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\3948.tmp\3959.tmp\395A.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\E61A.tmp\E61B.tmp\E61C.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\3F9E.tmp\3FAF.tmp\3FB0.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\4624.tmp\4625.tmp\4626.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\A16D.tmp\A16E.tmp\A16F.bat %APPDATA%\test.EXE"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\4C3C.tmp\4C4C.tmp\4C4D.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\FD61.tmp\FD62.tmp\FD63.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\F334.tmp\F335.tmp\F345.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\1FB0.tmp\1FB1.tmp\1FB2.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\16DA.tmp\16DB.tmp\16EC.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\2616.tmp\2617.tmp\2628.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\71A6.tmp\7233.tmp\7263.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\C283.tmp\C284.tmp\C285.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\7934.tmp\7935.tmp\7936.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\2C2E.tmp\2C3F.tmp\2C40.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\AF51.tmp\AF52.tmp\AF53.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\A7E2.tmp\A802.tmp\A803.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\4AC5.tmp\4AD6.tmp\4AD7.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\9FB8.tmp\9FB9.tmp\9FBA.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\59D2.tmp\59E3.tmp\59F4.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\51D7.tmp\51D8.tmp\51D9.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\90BA.tmp\90BB.tmp\90BC.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\88DE.tmp\88DF.tmp\88E0.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\41D0.tmp\41D1.tmp\41D2.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\9829.tmp\982A.tmp\983B.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\3246.tmp\3247.tmp\3248.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\B5F6.tmp\B5F7.tmp\B607.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\39D4.tmp\39D5.tmp\3A15.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\C8BB.tmp\C8BC.tmp\C8CC.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\31AA.tmp\31AB.tmp\31AC.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\CF21.tmp\CF22.tmp\CF23.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\D4FA.tmp\D4FB.tmp\D4FC.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\28F3.tmp\2923.tmp\2982.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\DB03.tmp\DB04.tmp\DB14.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\E13A.tmp\E13B.tmp\E13C.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\696C.tmp\696D.tmp\696E.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\80E2.tmp\80E3.tmp\80E4.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\BC2D.tmp\BC2E.tmp\BC2F.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\E781.tmp\E791.tmp\E792.bat %APPDATA%\Test.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "%TEMP%\52E0.tmp\52E1.tmp\52F2.bat %APPDATA%\Test.exe"' (with hidden window)

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial