Trojan.KillProc2.24659

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%prea12ybq3
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\beast [free] hotel .rar.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\dk4amn0 horse 5i8wmj9 big feet 50+ (8e6fxld).avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\w5t8cu4 [free] .mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\horse 3z6oda wifey .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\ 6hg4sl glans .rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\tf1tq013 horse w5t8cu4 (sarah).mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\z7qips nude yo6djypsz [milf] feet .avi.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\dk4amn0 nude yo6djypsz snidyfph hole fishy (4us7a95g).zip.exe
%WINDIR%\assembly\tmp\yhfjge etorvhr uncut titts wxpokr .mpeg.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\dxzg91nv3 yton2v mvakgcwi 3ikjnm4y hole rg7tdu4 (opgr3as).zip.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\vg2zgnq uncut hotel .mpg.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\black nude mvakgcwi [milf] fcksd0samk .rar.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\black vyfkljc16kq gay [milf] z9ay2h .zip.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\yhfjge obd4vccp8 k1tlhzdf qfb04d7ux8iegf (sarah).avi.exe
%HOMEPATH%\templates\yhfjge etorvhr w5t8cu4 f9kdqlk ash .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\tf1tq013 etorvhr k1tlhzdf [bangbus] vnm7bo .avi.exe
C:\users\default\appdata\local\<INETFILES>\black horse [free] lady .mpeg.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\k1tlhzdf [bangbus] dvmdzwh8lo .zip.exe
%WINDIR%\syswow64\ime\shared\ [bangbus] titts 1n4kl7830jqa .avi.exe
%WINDIR%\syswow64\fxstmp\thw5cms3 yton2v vg2zgnq hot (!) glans fatfulz .zip.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\0nmwz7s vyfkljc16kq horse w5t8cu4 sweet .mpg.exe
%WINDIR%\syswow64\config\systemprofile\yo6djypsz [free] .zip.exe
%WINDIR%\syswow64\ime\shared\0nmwz7s vyfkljc16kq horse cew2xnf4xc agl9tsu .zip.exe
%WINDIR%\syswow64\fxstmp\cum gay girls hotel (sonja,2b0ay6o).zip.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\gay [milf] latex .avi.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\black cum xxx a1swtsdhkhbf yipsl1etyvv .avi.exe
%WINDIR%\assembly\temp\0nmwz7s 5p4dftc mvakgcwi 3z6oda .mpg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\dk4amn0 vegpvr xxx girls h41hy4cklkoue .avi.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\dxzg91nv3 2yuliau mvakgcwi 3z6oda titts sm .mpeg.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\0nmwz7s nude 5i8wmj9 3ikjnm4y fcksd0samk .mpeg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\horse snidyfph feet sweet .mpg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\tf1tq013 5p4dftc vg2zgnq f9kdqlk oltmowd .mpeg.exe
%WINDIR%\security\templates\beast [bangbus] (8e6fxld).mpg.exe
%WINDIR%\pla\templates\gay [milf] agl9tsu .avi.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\k1tlhzdf [free] fatfulz (sonja,2b0ay6o).mpeg.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\yhfjge obd4vccp8 mvakgcwi w5t8cu4 sm .mpg.exe
%APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\5i8wmj9 f9kdqlk titts .avi.exe
%APPDATA%\microsoft\windows\templates\yhfjge yton2v vg2zgnq cew2xnf4xc (2b0ay6o).avi.exe
%APPDATA%\microsoft\templates\thw5cms3 abj24u beast uncut .avi.exe
%ProgramFiles%\windows journal\templates\tf1tq013 2yuliau sperm snidyfph (0wlc1ae).avi.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\dxzg91nv3 5p4dftc 5i8wmj9 hot (!) 50+ .rar.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\xxx uncut fatfulz (gina,sarah).mpg.exe
%CommonProgramFiles(x86)%\microsoft shared\0nmwz7s obd4vccp8 beast snidyfph latex .mpeg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\xxx w5t8cu4 rg7tdu4 .mpeg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\0nmwz7s horse k1tlhzdf [bangbus] titts .rar.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\dk4amn0 nude mvakgcwi [free] shoes .rar.exe
%WINDIR%\temp\5i8wmj9 cew2xnf4xc titts 40+ .mpg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\yhfjge yton2v horse f9kdqlk 50+ (etc82zq,2b0ay6o).mpeg.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\vg2zgnq [free] .avi.exe
%ProgramFiles%\microsoft office\templates\vg2zgnq f9kdqlk 50+ (etc82zq,karin).mpeg.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\w5t8cu4 cew2xnf4xc fcksd0samk .zip.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\thw5cms3 yton2v 5i8wmj9 w5t8cu4 glans .mpg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\thw5cms3 yton2v beast 3ikjnm4y girly .mpg.exe
%ProgramFiles%\dvd maker\shared\mvakgcwi 3ikjnm4y fcksd0samk .mpg.exe
%CommonProgramFiles%\microsoft shared\black vegpvr [milf] (opgr3as).rar.exe
%ProgramFiles%\windows sidebar\shared gadgets\gay girls (rhpa1v).mpg.exe
%WINDIR%\syswow64\config\systemprofile\w5t8cu4 6hg4sl feet .mpeg.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\peud38v yton2v k1tlhzdf qfb04d7ux8iegf (sarah).zip.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\0nmwz7s porn 5i8wmj9 6hg4sl .zip.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\z7qips 2yuliau k1tlhzdf girls glans .rar.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\beast big titts lady .avi.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\ktrosnb abj24u vg2zgnq uncut cock .avi.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\yo6djypsz a1swtsdhkhbf cock n3mhrd7 .mpeg.exe
%LOCALAPPDATA%\<INETFILES>\ktrosnb obd4vccp8 vg2zgnq cew2xnf4xc (jade).avi.exe
%TEMP%\0nmwz7s 2yuliau horse uncut lady .avi.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\black yton2v sperm 3z6oda cock vkwhqow .rar.exe
%ALLUSERSPROFILE%\templates\black horse 5i8wmj9 snidyfph hole 7k78h5f (2b0ay6o).mpeg.exe
C:\users\default\templates\thw5cms3 cum 6hg4sl .avi.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\dk4amn0 abj24u xxx f9kdqlk titts (gyta81s3l,liz).zip.exe
C:\users\default\appdata\local\temp\dxzg91nv3 nude vg2zgnq 6hg4sl boots .zip.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\dk4amn0 porn k1tlhzdf big glans .rar.exe
%ALLUSERSPROFILE%\templates\5i8wmj9 f9kdqlk .mpeg.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\xxx 3z6oda young .avi.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\ktrosnb abj24u sperm 6hg4sl h41hy4cklkoue .avi.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\0nmwz7s porn gay snidyfph hairy .mpeg.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\0nmwz7s cum gay hot (!) (4us7a95g).avi.exe
%WINDIR%\winsxs\installtemp\horse k1tlhzdf girls fcksd0samk .avi.exe

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial