Trojan.DownLoader35.47671

Technical Information

Modifies file system

Creates the following files

%TEMP%\is-8p366.tmp\<File name>.tmp
%ProgramFiles(x86)%\pwis copy\skins\0\is-mve80.tmp
%ProgramFiles(x86)%\pwis copy\skins\0\is-74ung.tmp
%ProgramFiles(x86)%\pwis copy\is-8v3b8.tmp
%ProgramFiles(x86)%\pwis copy\is-38td7.tmp
%ProgramFiles(x86)%\pwis copy\is-j4mj8.tmp
%ProgramFiles(x86)%\pwis copy\is-n9eum.tmp
%ProgramFiles(x86)%\pwis copy\is-fnkq3.tmp
%ProgramFiles(x86)%\pwis copy\is-eomec.tmp
%ProgramFiles(x86)%\pwis copy\is-5jsc4.tmp
%ProgramFiles(x86)%\pwis copy\is-s9mq2.tmp
%WINDIR%\is-dtitu.tmp
%ProgramFiles(x86)%\pwis copy\help\is-18v8k.tmp
%ProgramFiles(x86)%\pwis copy\is-l93ic.tmp
%WINDIR%\syswow64\is-oa28c.tmp
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\pwis copy\pwis copy.lnk
%ProgramFiles(x86)%\pwis copy\skins\0\is-sehoc.tmp
%ProgramFiles(x86)%\pwis copy\windvdcopy.url
%ProgramFiles(x86)%\pwis copy\skins\0\is-le2rm.tmp
%ProgramFiles(x86)%\pwis copy\skins\0\is-dgsem.tmp
%TEMP%\is-188kg.tmp\_isetup\_regdll.tmp
%TEMP%\is-188kg.tmp\_isetup\_setup64.tmp
%TEMP%\is-188kg.tmp\_isetup\_shfoldr.dll
%TEMP%\is-188kg.tmp\_isetup\_iscrypt.dll
%ProgramFiles(x86)%\pwis copy\is-oulps.tmp
%ProgramFiles(x86)%\pwis copy\language\is-h7mb2.tmp
%ProgramFiles(x86)%\pwis copy\skins\0\is-cfqg9.tmp
%ProgramFiles(x86)%\pwis copy\skins\0\is-2muml.tmp
%ProgramFiles(x86)%\pwis copy\skins\0\is-n78jn.tmp
%ProgramFiles(x86)%\pwis copy\skins\0\is-utanb.tmp
%ProgramFiles(x86)%\pwis copy\skins\0\is-hsg4l.tmp
%ProgramFiles(x86)%\pwis copy\skins\0\is-pfpff.tmp
%ProgramFiles(x86)%\pwis copy\skins\0\is-5lnep.tmp
%ProgramFiles(x86)%\pwis copy\skins\0\is-e01pk.tmp
%ProgramFiles(x86)%\pwis copy\skins\0\is-n93n3.tmp
%ProgramFiles(x86)%\pwis copy\skins\0\is-r8bpq.tmp
%ProgramFiles(x86)%\pwis copy\unins000.dat

Moves the following files

from %ProgramFiles(x86)%\pwis copy\is-oulps.tmp to %ProgramFiles(x86)%\pwis copy\unins000.exe
from %ProgramFiles(x86)%\pwis copy\help\is-18v8k.tmp to %ProgramFiles(x86)%\pwis copy\help\winavi dvd copy help.chm
from %WINDIR%\is-dtitu.tmp to %WINDIR%\windvdbootrecdoe.sys
from %ProgramFiles(x86)%\pwis copy\is-s9mq2.tmp to %ProgramFiles(x86)%\pwis copy\readme.txt
from %ProgramFiles(x86)%\pwis copy\is-5jsc4.tmp to %ProgramFiles(x86)%\pwis copy\videoburn.dll
from %ProgramFiles(x86)%\pwis copy\is-eomec.tmp to %ProgramFiles(x86)%\pwis copy\fileio.dll
from %ProgramFiles(x86)%\pwis copy\is-fnkq3.tmp to %ProgramFiles(x86)%\pwis copy\aspi.dll
from %ProgramFiles(x86)%\pwis copy\is-n9eum.tmp to %ProgramFiles(x86)%\pwis copy\dvdcopy.dll
from %ProgramFiles(x86)%\pwis copy\is-j4mj8.tmp to %ProgramFiles(x86)%\pwis copy\core.dll
from %ProgramFiles(x86)%\pwis copy\is-38td7.tmp to %ProgramFiles(x86)%\pwis copy\dvd2one.dll
from %ProgramFiles(x86)%\pwis copy\is-8v3b8.tmp to %ProgramFiles(x86)%\pwis copy\mpeg2videotranslator.dll
from %ProgramFiles(x86)%\pwis copy\skins\0\is-74ung.tmp to %ProgramFiles(x86)%\pwis copy\skins\0\animation.gif
from %ProgramFiles(x86)%\pwis copy\skins\0\is-mve80.tmp to %ProgramFiles(x86)%\pwis copy\skins\0\copynow.bmp
from %ProgramFiles(x86)%\pwis copy\is-l93ic.tmp to %ProgramFiles(x86)%\pwis copy\mwiscopy.exe
from %ProgramFiles(x86)%\pwis copy\skins\0\is-sehoc.tmp to %ProgramFiles(x86)%\pwis copy\skins\0\setting.bmp
from %ProgramFiles(x86)%\pwis copy\skins\0\is-r8bpq.tmp to %ProgramFiles(x86)%\pwis copy\skins\0\down.bmp
from %ProgramFiles(x86)%\pwis copy\skins\0\is-dgsem.tmp to %ProgramFiles(x86)%\pwis copy\skins\0\wizard.bmp
from %ProgramFiles(x86)%\pwis copy\skins\0\is-n93n3.tmp to %ProgramFiles(x86)%\pwis copy\skins\0\splash.bmp
from %ProgramFiles(x86)%\pwis copy\skins\0\is-e01pk.tmp to %ProgramFiles(x86)%\pwis copy\skins\0\min.bmp
from %ProgramFiles(x86)%\pwis copy\skins\0\is-5lnep.tmp to %ProgramFiles(x86)%\pwis copy\skins\0\menu.bmp
from %ProgramFiles(x86)%\pwis copy\skins\0\is-pfpff.tmp to %ProgramFiles(x86)%\pwis copy\skins\0\help.bmp
from %ProgramFiles(x86)%\pwis copy\skins\0\is-hsg4l.tmp to %ProgramFiles(x86)%\pwis copy\skins\0\close.bmp
from %ProgramFiles(x86)%\pwis copy\skins\0\is-utanb.tmp to %ProgramFiles(x86)%\pwis copy\skins\0\web.bmp
from %ProgramFiles(x86)%\pwis copy\skins\0\is-n78jn.tmp to %ProgramFiles(x86)%\pwis copy\skins\0\buynow.bmp
from %ProgramFiles(x86)%\pwis copy\skins\0\is-2muml.tmp to %ProgramFiles(x86)%\pwis copy\skins\0\background.bmp
from %ProgramFiles(x86)%\pwis copy\skins\0\is-cfqg9.tmp to %ProgramFiles(x86)%\pwis copy\skins\0\skin.ini
from %ProgramFiles(x86)%\pwis copy\language\is-h7mb2.tmp to %ProgramFiles(x86)%\pwis copy\language\english.ini
from %ProgramFiles(x86)%\pwis copy\skins\0\is-le2rm.tmp to %ProgramFiles(x86)%\pwis copy\skins\0\select.bmp
from %WINDIR%\syswow64\is-oa28c.tmp to %WINDIR%\syswow64\sqlite3.dll

Network activity

TCP

'ma#####amenameper.club':443

UDP

DNS ASK ma#####amenameper.club

Miscellaneous

Searches for the following windows

ClassName: 'tcbbihde734g3g6gd' WindowName: ''

Creates and executes the following

'%TEMP%\is-8p366.tmp\<File name>.tmp' /SL5="$B01F8,3544320,211456,<Full path to file>"
'%ProgramFiles(x86)%\pwis copy\mwiscopy.exe'

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial