Technical Information
Malicious functions
Terminates or attempts to terminate
the following system processes:
- %WINDIR%\explorer.exe
- <SYSTEM32>\taskhost.exe
- <SYSTEM32>\dwm.exe
the following user processes:
- iexplore.exe
- firefox.exe
Modifies file system
Creates the following files
- %WINDIR%y1s2fctrp3
- %CommonProgramFiles%\microsoft shared\8ok6yf wep6b08 apv53deiq9fw titts eigt45 (liz).rar.exe
- %ProgramFiles%\dvd maker\shared\gay [milf] legs 8pfmdyy .avi.exe
- %ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\upfgetx bd1l5ir big glans .rar.exe
- %ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\fac71w2 8ok6yf sgu4m7oc jxqgtp 50+ .mpg.exe
- %ProgramFiles%\microsoft office\office14\groove\xml files\space templates\gzn4ud7e porn [bangbus] boobs b37oavmx289 (rdl1tfkz,dehod0).avi.exe
- %ProgramFiles%\microsoft office\templates\w6csjja14n1 horse hot (!) titts .mpg.exe
- %ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\h93bklf w6csjja14n1 uncut shoes .mpeg.exe
- %ProgramFiles%\windows journal\templates\lpcu5ai3 girls gsva2xn .zip.exe
- %ProgramFiles%\windows sidebar\shared gadgets\fac71w2 cum nom72kl (36mho73,hyo87il).mpeg.exe
- %ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\horse [free] ash (sandy,karin).mpeg.exe
- %ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\bd1l5ir big .rar.exe
- %ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\cum [bangbus] kfp2yqq (g6u8n4r,rdl1tfkz).avi.exe
- %CommonProgramFiles(x86)%\microsoft shared\horse ihthd33 sgoibhh .mpeg.exe
- %ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\asian xakmpl 7nd83wovj hot (!) girly .zip.exe
- %ProgramFiles(x86)%\windows sidebar\shared gadgets\ikdyfwhy xxx bd1l5ir big ash (dehod0).zip.exe
- %ALLUSERSPROFILE%\microsoft\rac\temp\asian bd1l5ir horse l9hwcs7vvnphd9 legs latex .zip.exe
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\4h1e2a346 lpcu5ai3 7vepaqjm (haj1oyikd).avi.exe
- %ALLUSERSPROFILE%\microsoft\windows\templates\4h1e2a346 sperm hot (!) boobs qx2j1b5 .mpg.exe
- %ALLUSERSPROFILE%\templates\ikdyfwhy nom72kl nom72kl sgu4m7oc (haj1oyikd,haj1oyikd).avi.exe
- %ALLUSERSPROFILE%\microsoft\rac\temp\4h1e2a346 porn wep6b08 big kfp2yqq nrb42wq .rar.exe
- %ALLUSERSPROFILE%\microsoft\search\data\temp\asian tsomq34 nom72kl uncut hole .mpeg.exe
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\porn porn uncut latex (36mho73).rar.exe
- %ALLUSERSPROFILE%\microsoft\windows\templates\upfgetx 7vepaqjm boobs fishy .mpeg.exe
- %ALLUSERSPROFILE%\templates\f1i7cm nom72kl horse uncut .rar.exe
- C:\users\default\appdata\local\microsoft\windows\<INETFILES>\eq7k2xcxt bd1l5ir bq4kno glans .mpeg.exe
- C:\users\default\appdata\local\temp\ddqayq bq4kno sweet (haj1oyikd).avi.exe
- C:\users\default\appdata\local\<INETFILES>\ddqayq 7nd83wovj uncut 779mipj .zip.exe
- C:\users\default\appdata\roaming\microsoft\windows\templates\h93bklf bd1l5ir big (gina,haj1oyikd).mpeg.exe
- C:\users\default\templates\zc8giv9 mnho9y54 mnho9y54 uncut ash .zip.exe
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\mzwpstr8n h93bklf sgu4m7oc ash .mpg.exe
- %TEMP%\mnho9y54 horse [milf] 50+ .rar.exe
- %LOCALAPPDATA%\<INETFILES>\mzwpstr8n horse epyxwn ejn547rbxhd1 .rar.exe
- %LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\upfgetx nom72kl (karin,sonja).rar.exe
- %LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\8r3baiec gay xxx big qq6w54yfhtqrbwcslg .zip.exe
- %LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\ddqayq sgu4m7oc wifey .mpeg.exe
- %APPDATA%\microsoft\templates\nude uncut sgoibhh .rar.exe
- %APPDATA%\microsoft\windows\templates\fac71w2 8ok6yf girls hotel .mpg.exe
- %APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\viaz50 h93bklf [milf] lzxyhb7k .avi.exe
- %APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\zc8giv9 porn hot (!) 40+ (gina).mpeg.exe
- %HOMEPATH%\templates\xakmpl uncut (jade,haj1oyikd).rar.exe
- %WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\jxaglwti nom72kl mnho9y54 epyxwn latex (2hbt8wr).mpg.exe
- %WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\horse horse epyxwn .avi.exe
- %WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\wpjwijv h93bklf girls sgoibhh .mpeg.exe
- %WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\asian sperm horse vjq39c1gwy jxqgtp rv0y8n .zip.exe
- %WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\wpjwijv cum cum 7vepaqjm sm .rar.exe
- %WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\0287zh mzwpstr8n vjq39c1gwy girly .avi.exe
- %WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\wpjwijv nude tsomq34 vjq39c1gwy boots .avi.exe
- %WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\4h1e2a346 horse nom72kl feet zn3tvn .mpg.exe
- %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\mzwpstr8n hot (!) legs hotel .mpeg.exe
- %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\horse xakmpl ihthd33 shoes .zip.exe
- %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\mzwpstr8n big feet .avi.exe
- %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\beast bq4kno cock young .mpg.exe
- %WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\z1qxwcd 8ok6yf ddqayq uncut fw58kpr41ob1w (gina).mpg.exe
- %WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\xxx sperm big 6tl9zg0uqa .mpeg.exe
- %WINDIR%\assembly\temp\0287zh nom72kl l9hwcs7vvnphd9 feet (sandy).rar.exe
- %WINDIR%\assembly\tmp\h93bklf beast [bangbus] fw58kpr41ob1w .mpg.exe
- %WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\z1qxwcd bd1l5ir [free] cock (cy4xpd,gina).mpeg.exe
- %WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\h93bklf cum big lady .mpg.exe
- %WINDIR%\pla\templates\viaz50 sperm mnho9y54 [milf] cock qx2j1b5 .zip.exe
- %WINDIR%\security\templates\mzwpstr8n epyxwn young .mpeg.exe
- %WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\f1i7cm xakmpl apv53deiq9fw .rar.exe
- %WINDIR%\serviceprofiles\localservice\appdata\local\temp\xakmpl vjq39c1gwy gh5b6gd7wrv .rar.exe
- %WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\7b6fhxi 8ok6yf h93bklf nom72kl mg9fvb2xk9 .avi.exe
- %WINDIR%\serviceprofiles\networkservice\appdata\local\temp\z1qxwcd wep6b08 porn bq4kno (c4w8hqa,sarah).zip.exe
- %WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\0287zh bd1l5ir sgu4m7oc .zip.exe
- %WINDIR%\syswow64\config\systemprofile\mnho9y54 8ok6yf [bangbus] (jenna,g6u8n4r).zip.exe
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\mzwpstr8n wep6b08 uncut titts sm .mpeg.exe
- %WINDIR%\syswow64\fxstmp\lpcu5ai3 mnho9y54 nom72kl 8pfmdyy .avi.exe
- %WINDIR%\syswow64\ime\shared\ikdyfwhy mzwpstr8n bd1l5ir girls ash nmibe2 (sandy).zip.exe
- %WINDIR%\syswow64\config\systemprofile\ikdyfwhy nude epyxwn qx2j1b5 .mpeg.exe
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\gzn4ud7e cum uncut boobs .zip.exe
- %WINDIR%\syswow64\fxstmp\0287zh beast bd1l5ir uncut (sonja).mpeg.exe
- %WINDIR%\syswow64\ime\shared\wep6b08 hot (!) .zip.exe
- %WINDIR%\temp\upfgetx cum bd1l5ir epyxwn boobs boots .rar.exe
Miscellaneous
Searches for the following windows
- ClassName: 'Progman' WindowName: ''
- ClassName: 'Proxy Desktop' WindowName: ''
Restarts the analyzed sample
Executes the following
- '%WINDIR%\explorer.exe'