Technical Information
Malicious functions
Terminates or attempts to terminate
the following system processes:
- %WINDIR%\explorer.exe
- <SYSTEM32>\taskhost.exe
- <SYSTEM32>\dwm.exe
the following user processes:
- iexplore.exe
- firefox.exe
Modifies file system
Creates the following files
- %WINDIR%y1s2fctrp3
- %CommonProgramFiles%\microsoft shared\wep6b08 vjq39c1gwy sweet .avi.exe
- %ProgramFiles%\dvd maker\shared\horse xxx girls .mpeg.exe
- %ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\ikdyfwhy horse nude [milf] 40+ (gina).avi.exe
- %ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\4h1e2a346 h93bklf bq4kno .rar.exe
- %ProgramFiles%\microsoft office\office14\groove\xml files\space templates\wpjwijv lpcu5ai3 h93bklf l9hwcs7vvnphd9 qx2j1b5 .rar.exe
- %ProgramFiles%\microsoft office\templates\xxx vjq39c1gwy .avi.exe
- %ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\z9z7rwe cum xxx [milf] 779mipj .zip.exe
- %ProgramFiles%\windows journal\templates\fac71w2 horse bq4kno cock balls .rar.exe
- %ProgramFiles%\windows sidebar\shared gadgets\black horse hot (!) .mpeg.exe
- %ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\nom72kl vjq39c1gwy glans boots .mpg.exe
- %ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\horse bd1l5ir girls qq6w54yfhtqrbwcslg .mpg.exe
- %CommonProgramFiles(x86)%\microsoft shared\horse hot (!) ash (jade).mpg.exe
- %ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\eq7k2xcxt sperm uncut sweet .mpeg.exe
- %ProgramFiles(x86)%\windows sidebar\shared gadgets\jxaglwti hot (!) .avi.exe
- %ALLUSERSPROFILE%\microsoft\rac\temp\cum 7nd83wovj [bangbus] .zip.exe
- %ALLUSERSPROFILE%\microsoft\search\data\temp\tsomq34 girls 40+ (2hbt8wr,c4w8hqa).zip.exe
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\gzn4ud7e nude l9hwcs7vvnphd9 (2hbt8wr).mpeg.exe
- %ALLUSERSPROFILE%\microsoft\windows\templates\eq7k2xcxt 8ok6yf [bangbus] qq6w54yfhtqrbwcslg .zip.exe
- %ALLUSERSPROFILE%\templates\0287zh mnho9y54 girls js80j73 .zip.exe
- %ALLUSERSPROFILE%\microsoft\rac\temp\yzw1afy l9hwcs7vvnphd9 titts .mpeg.exe
- %ALLUSERSPROFILE%\microsoft\search\data\temp\upfgetx mzwpstr8n sgu4m7oc titts 40+ .mpg.exe
- %ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\yzw1afy bq4kno hole 779mipj .rar.exe
- %ALLUSERSPROFILE%\microsoft\windows\templates\bd1l5ir big legs .rar.exe
- %ALLUSERSPROFILE%\templates\ikdyfwhy beast horse uncut 40+ .rar.exe
- C:\users\default\appdata\local\microsoft\windows\<INETFILES>\f07qtt sperm girls ol6p1tua .mpg.exe
- C:\users\default\appdata\local\temp\z9z7rwe bd1l5ir ihthd33 titts .zip.exe
- C:\users\default\appdata\local\<INETFILES>\eq7k2xcxt bd1l5ir nom72kl apv53deiq9fw titts ejn547rbxhd1 (36mho73,jenna).mpeg.exe
- C:\users\default\appdata\roaming\microsoft\windows\templates\bd1l5ir big (rdl1tfkz).avi.exe
- C:\users\default\templates\zc8giv9 tsomq34 mzwpstr8n nom72kl legs .mpg.exe
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\eq7k2xcxt horse hot (!) sm .mpg.exe
- %TEMP%\cum wep6b08 apv53deiq9fw .rar.exe
- %LOCALAPPDATA%\<INETFILES>\zc8giv9 mzwpstr8n apv53deiq9fw hole 8bgkvshe1 .zip.exe
- %LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\black xakmpl mnho9y54 [milf] glans ejn547rbxhd1 (y8oxsqa).mpg.exe
- %LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\xakmpl gay [milf] legs hotel .mpeg.exe
- %LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\sperm bd1l5ir bq4kno qx2j1b5 .rar.exe
- %APPDATA%\microsoft\templates\viaz50 gay [milf] shoes .mpeg.exe
- %APPDATA%\microsoft\windows\templates\zc8giv9 bd1l5ir gay sgu4m7oc .rar.exe
- %APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\porn nom72kl .rar.exe
- %APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\sperm cum girls nrb42wq .zip.exe
- %HOMEPATH%\templates\mzwpstr8n apv53deiq9fw cock .mpeg.exe
- %WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\wpjwijv xxx 7vepaqjm lady .rar.exe
- %WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\mnho9y54 uncut fw58kpr41ob1w .rar.exe
- %WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\horse gay ihthd33 kfp2yqq .zip.exe
- %WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\upfgetx tsomq34 apv53deiq9fw mg9fvb2xk9 (rdl1tfkz).rar.exe
- %WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\porn horse uncut boobs zmc8ujp (gina,jade).rar.exe
- %WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\horse vjq39c1gwy kfp2yqq balls .mpg.exe
- %WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\7nd83wovj [milf] .zip.exe
- %WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\z1qxwcd h93bklf porn bq4kno sgoibhh .zip.exe
- %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\s2fkave horse sgu4m7oc gh5b6gd7wrv (dehod0,jade).avi.exe
- %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\mzwpstr8n ihthd33 mg9fvb2xk9 .rar.exe
- %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\lpcu5ai3 apv53deiq9fw glans gsva2xn (sonja,sonja).mpg.exe
- %WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\7b6fhxi horse ihthd33 8pfmdyy .rar.exe
- %WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\f07qtt 8ok6yf w6csjja14n1 apv53deiq9fw sgoibhh (36mho73,y8oxsqa).rar.exe
- %WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\xxx ihthd33 cock js80j73 .zip.exe
- %WINDIR%\assembly\temp\z1qxwcd nom72kl sgoibhh (sandy).zip.exe
- %WINDIR%\assembly\tmp\z1qxwcd bd1l5ir apv53deiq9fw kfp2yqq zn3tvn .mpg.exe
- %WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\7nd83wovj tsomq34 bq4kno hairy (sandy,dehod0).avi.exe
- %WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\0287zh beast h93bklf [milf] young .mpeg.exe
- %WINDIR%\pla\templates\eq7k2xcxt wep6b08 bq4kno nrb42wq .rar.exe
- %WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\sperm hot (!) lady .zip.exe
- %WINDIR%\serviceprofiles\localservice\appdata\local\temp\gzn4ud7e nom72kl w6csjja14n1 sgu4m7oc (sandy).mpeg.exe
- %WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\f1i7cm xakmpl apv53deiq9fw 40+ (sarah,sonja).rar.exe
- %WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\yzw1afy nom72kl shoes .mpg.exe
- %WINDIR%\serviceprofiles\networkservice\appdata\local\temp\ikdyfwhy horse cum uncut glans .mpg.exe
- %WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\xxx nude nom72kl b37oavmx289 .avi.exe
- %WINDIR%\syswow64\config\systemprofile\ikdyfwhy gay 7vepaqjm .mpeg.exe
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\yzw1afy horse ihthd33 (cy4xpd,jade).zip.exe
- %WINDIR%\syswow64\fxstmp\bd1l5ir [bangbus] (cy4xpd,sonja).zip.exe
- %WINDIR%\syswow64\ime\shared\fac71w2 horse horse hot (!) 6tl9zg0uqa (gina).mpeg.exe
- %WINDIR%\syswow64\config\systemprofile\porn xxx nom72kl (y8oxsqa).avi.exe
- %WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\asian beast [free] (36mho73).mpg.exe
- %WINDIR%\syswow64\fxstmp\z1qxwcd cum uncut .rar.exe
- %WINDIR%\temp\z9z7rwe 8ok6yf [free] .mpg.exe
Miscellaneous
Searches for the following windows
- ClassName: 'Progman' WindowName: ''
- ClassName: 'Proxy Desktop' WindowName: ''
Restarts the analyzed sample
Executes the following
- '%WINDIR%\explorer.exe'