Trojan.KillProc2.24637

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%prea12ybq3
%WINDIR%\assembly\tmp\tf1tq013 2yuliau w5t8cu4 snidyfph feet .zip.exe
%WINDIR%\assembly\temp\black etorvhr vg2zgnq girls hole 40+ .rar.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\gay a1swtsdhkhbf cock sweet .mpg.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\0nmwz7s etorvhr mvakgcwi f9kdqlk .rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\black obd4vccp8 horse snidyfph .zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\ktrosnb horse gay a1swtsdhkhbf vkwhqow .rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\tf1tq013 abj24u beast hot (!) sm .zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\yhfjge obd4vccp8 gay hot (!) .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\k1tlhzdf cew2xnf4xc feet wifey .zip.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\sperm [milf] (opgr3as).avi.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\sperm 6hg4sl 8j1qjf .rar.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\yhfjge yton2v k1tlhzdf [free] latex .mpeg.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\z7qips vegpvr horse big hotel .rar.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\dxzg91nv3 horse 5i8wmj9 [bangbus] (4us7a95g).zip.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\thw5cms3 porn 5i8wmj9 6hg4sl lady .mpeg.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\qjsuuj51 horse uncut .mpeg.exe
%HOMEPATH%\templates\black abj24u 5i8wmj9 snidyfph rg7tdu4 .mpeg.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\tf1tq013 yton2v sperm hot (!) cock .zip.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\ktrosnb yton2v mvakgcwi girls .avi.exe
%WINDIR%\syswow64\ime\shared\0nmwz7s 5p4dftc gay 3z6oda upfukdp8 .avi.exe
%WINDIR%\syswow64\fxstmp\sperm uncut .mpeg.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\gay [milf] (rhpa1v).avi.exe
%WINDIR%\syswow64\config\systemprofile\thw5cms3 cum xxx [milf] .zip.exe
%WINDIR%\syswow64\ime\shared\dxzg91nv3 vyfkljc16kq xxx 6hg4sl q4njwcdgux5bzomjnr .zip.exe
%WINDIR%\syswow64\fxstmp\xxx qfb04d7ux8iegf glans n3mhrd7 .rar.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\ktrosnb vegpvr w5t8cu4 girls feet .rar.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\peud38v vyfkljc16kq beast a1swtsdhkhbf sweet .mpg.exe
C:\users\default\appdata\local\temp\yo6djypsz w5t8cu4 feet rg7tdu4 .avi.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\yhfjge cum mvakgcwi cew2xnf4xc .avi.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\black vegpvr yo6djypsz f9kdqlk hole 1n4kl7830jqa .zip.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\ktrosnb porn xxx 3ikjnm4y fishy .mpg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\yo6djypsz 3ikjnm4y 1n4kl7830jqa (etc82zq,8e6fxld).rar.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\0nmwz7s horse mvakgcwi a1swtsdhkhbf cock shoes (4us7a95g).mpeg.exe
%WINDIR%\security\templates\thw5cms3 vegpvr girls wifey .rar.exe
%WINDIR%\pla\templates\horse snidyfph (sarah).zip.exe
%APPDATA%\microsoft\windows\templates\z7qips cum vg2zgnq big glans .mpeg.exe
%APPDATA%\microsoft\templates\yo6djypsz uncut titts hairy .zip.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\yo6djypsz girls fishy .rar.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\ qfb04d7ux8iegf yipsl1etyvv (gyta81s3l,rhpa1v).zip.exe
%CommonProgramFiles(x86)%\microsoft shared\yhfjge 5p4dftc w5t8cu4 3ikjnm4y lady (sonja,sarah).mpg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\thw5cms3 nude yo6djypsz big agl9tsu .mpeg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\gay qfb04d7ux8iegf cock boots .mpeg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\thw5cms3 nude beast [free] fcksd0samk .mpeg.exe
%ProgramFiles%\windows sidebar\shared gadgets\thw5cms3 5p4dftc vg2zgnq uncut .mpg.exe
%ProgramFiles%\windows journal\templates\xxx qfb04d7ux8iegf .mpg.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\thw5cms3 vyfkljc16kq beast a1swtsdhkhbf 0vzq1yfv (sonja,karin).zip.exe
%ProgramFiles%\microsoft office\templates\z7qips 2yuliau gay a1swtsdhkhbf 0vzq1yfv .zip.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\xxx 3z6oda h41hy4cklkoue .mpg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\ktrosnb horse horse 6hg4sl h41hy4cklkoue .avi.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\thw5cms3 yton2v beast [milf] feet vkwhqow (rhpa1v).zip.exe
%ProgramFiles%\dvd maker\shared\5i8wmj9 girls n3mhrd7 .avi.exe
%CommonProgramFiles%\microsoft shared\sperm uncut 1n4kl7830jqa .zip.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\yo6djypsz girls .mpg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\ktrosnb vegpvr horse big fatfulz .mpg.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\0nmwz7s cum w5t8cu4 uncut .avi.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\peud38v vegpvr a1swtsdhkhbf cock .zip.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\0nmwz7s 5p4dftc 5i8wmj9 3z6oda glans .avi.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\vg2zgnq 6hg4sl (4us7a95g).mpeg.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\w5t8cu4 [free] wifey (ct00vwxo,liz).mpeg.exe
%LOCALAPPDATA%\<INETFILES>\peud38v porn 5i8wmj9 snidyfph cock 3fzhiwoxgra .mpeg.exe
%TEMP%\beast f9kdqlk feet .mpg.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\xxx w5t8cu4 agl9tsu .mpeg.exe
C:\users\default\templates\0nmwz7s vyfkljc16kq xxx uncut h41hy4cklkoue .zip.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\dk4amn0 2yuliau sperm snidyfph .mpg.exe
%WINDIR%\syswow64\config\systemprofile\k1tlhzdf [free] hairy .avi.exe
%WINDIR%\temp\yhfjge abj24u k1tlhzdf [bangbus] shoes (ct00vwxo,karin).rar.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\yhfjge porn 5i8wmj9 big girly .mpeg.exe
%ALLUSERSPROFILE%\templates\gay [bangbus] hole latex .rar.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\gay w5t8cu4 wifey .zip.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\sperm [bangbus] .mpg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\black yton2v horse qfb04d7ux8iegf 40+ .rar.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\vg2zgnq hot (!) (8e6fxld).avi.exe
%ALLUSERSPROFILE%\templates\z7qips obd4vccp8 beast [milf] wxpokr .mpg.exe
C:\users\default\appdata\local\<INETFILES>\w5t8cu4 hot (!) agl9tsu .zip.exe
%WINDIR%\winsxs\installtemp\cum uncut titts 7k78h5f .rar.exe

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial