Trojan.KillProc2.24636

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%prea12ybq3
%WINDIR%\assembly\tmp\tf1tq013 nude k1tlhzdf [free] glans vvano0phq .rar.exe
%WINDIR%\assembly\temp\yo6djypsz a1swtsdhkhbf glans z9ay2h .avi.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\xxx 6hg4sl .mpg.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\beast 6hg4sl .rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\sperm qfb04d7ux8iegf titts lady .rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\thw5cms3 cum yo6djypsz [bangbus] titts hairy .mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\mvakgcwi [bangbus] glans 50+ .zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\w5t8cu4 [bangbus] (2b0ay6o).mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\vg2zgnq w5t8cu4 fatfulz .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\ktrosnb abj24u xxx [bangbus] 3fzhiwoxgra .rar.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\yhfjge cum mvakgcwi 6hg4sl fatfulz .rar.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\k1tlhzdf [milf] sweet .mpg.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\peud38v cum k1tlhzdf [bangbus] feet sweet .rar.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\yo6djypsz f9kdqlk wkdgiqz .avi.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\mvakgcwi cew2xnf4xc titts .mpeg.exe
%HOMEPATH%\templates\w5t8cu4 big fishy .avi.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\dk4amn0 2yuliau big sweet .avi.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\ktrosnb abj24u gay w5t8cu4 3fzhiwoxgra (jenna,jade).mpg.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\xxx 3ikjnm4y .rar.exe
%WINDIR%\syswow64\ime\shared\peud38v 2yuliau gay snidyfph upfukdp8 .avi.exe
%WINDIR%\syswow64\fxstmp\beast w5t8cu4 .rar.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\thw5cms3 porn k1tlhzdf f9kdqlk balls .rar.exe
%WINDIR%\syswow64\config\systemprofile\horse 3z6oda 7k78h5f .mpg.exe
%WINDIR%\syswow64\ime\shared\tf1tq013 porn yo6djypsz 6hg4sl boots .mpg.exe
%WINDIR%\syswow64\fxstmp\abj24u sperm a1swtsdhkhbf feet young (opgr3as).rar.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\tf1tq013 cum 5i8wmj9 a1swtsdhkhbf hole .zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\yhfjge nude yo6djypsz cew2xnf4xc .mpeg.exe
C:\users\default\appdata\local\<INETFILES>\sperm a1swtsdhkhbf .mpeg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\k1tlhzdf 3ikjnm4y .zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\ktrosnb cum sperm uncut feet .avi.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\peud38v horse xxx [free] ash .mpg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\peud38v yton2v w5t8cu4 [bangbus] glans z9ay2h (liz).avi.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\peud38v 2yuliau [milf] yipsl1etyvv .zip.exe
%WINDIR%\security\templates\ktrosnb 2yuliau 5i8wmj9 w5t8cu4 .avi.exe
%WINDIR%\pla\templates\yhfjge obd4vccp8 uncut (rhpa1v).avi.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\tf1tq013 yton2v [bangbus] hairy .mpeg.exe
%APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\beast qfb04d7ux8iegf z9ay2h (jenna,4us7a95g).avi.exe
%APPDATA%\microsoft\windows\templates\horse 5i8wmj9 cew2xnf4xc .rar.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\dk4amn0 porn xxx qfb04d7ux8iegf hole h41hy4cklkoue .mpg.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\tf1tq013 5p4dftc 5i8wmj9 3ikjnm4y wkdgiqz .mpeg.exe
%CommonProgramFiles(x86)%\microsoft shared\0nmwz7s vyfkljc16kq beast uncut h41hy4cklkoue .rar.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\yhfjge 5p4dftc gay 3ikjnm4y glans girly .avi.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\horse 6hg4sl oltmowd .avi.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\horse cew2xnf4xc feet .avi.exe
%ProgramFiles%\windows sidebar\shared gadgets\k1tlhzdf [milf] 1wyga12mzc .rar.exe
%ProgramFiles%\windows journal\templates\yo6djypsz 3ikjnm4y hairy .mpeg.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\p2yoszc xxx 3z6oda dvmdzwh8lo .mpg.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\black 5p4dftc k1tlhzdf [free] (sarah).mpg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\w5t8cu4 girls .mpg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\yo6djypsz 3ikjnm4y titts .mpg.exe
%ProgramFiles%\dvd maker\shared\black vegpvr w5t8cu4 f9kdqlk titts .zip.exe
%CommonProgramFiles%\microsoft shared\ktrosnb abj24u 5i8wmj9 3z6oda (4us7a95g).zip.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\z7qips 5p4dftc mvakgcwi qfb04d7ux8iegf cock (gyta81s3l,karin).mpg.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\thw5cms3 5p4dftc horse uncut 0vzq1yfv (gyta81s3l,sarah).mpg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\dxzg91nv3 vyfkljc16kq beast 3z6oda .rar.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\black etorvhr horse uncut .mpg.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\horse [bangbus] 7k78h5f (jenna,rhpa1v).mpg.exe
%ALLUSERSPROFILE%\templates\z7qips vyfkljc16kq yo6djypsz uncut 50+ .mpg.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\vg2zgnq cew2xnf4xc 0vzq1yfv .rar.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\dk4amn0 vyfkljc16kq w5t8cu4 hot (!) balls .zip.exe
%LOCALAPPDATA%\<INETFILES>\thw5cms3 horse 5i8wmj9 uncut (2b0ay6o).zip.exe
%TEMP%\black vegpvr w5t8cu4 wkdgiqz .zip.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\dxzg91nv3 vyfkljc16kq vg2zgnq a1swtsdhkhbf glans fcksd0samk (karin).mpeg.exe
C:\users\default\templates\xxx girls (karin).rar.exe
%WINDIR%\syswow64\config\systemprofile\dxzg91nv3 nude 5i8wmj9 uncut wkdgiqz .zip.exe
%WINDIR%\temp\z7qips nude w5t8cu4 (sarah).zip.exe
C:\users\default\appdata\local\temp\ktrosnb cum 5i8wmj9 cew2xnf4xc fishy .avi.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\5i8wmj9 [free] cock .avi.exe
%ALLUSERSPROFILE%\templates\tf1tq013 vegpvr beast 6hg4sl titts q4njwcdgux5bzomjnr .mpg.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\0nmwz7s 5p4dftc beast a1swtsdhkhbf titts agl9tsu (8e6fxld).avi.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\z7qips cum gay 6hg4sl cock wkdgiqz .rar.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\thw5cms3 abj24u beast hot (!) .rar.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\dk4amn0 yton2v 5i8wmj9 f9kdqlk titts .avi.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\black yton2v k1tlhzdf a1swtsdhkhbf cock .mpg.exe
%WINDIR%\winsxs\installtemp\p2yoszc 5i8wmj9 a1swtsdhkhbf z9ay2h .avi.exe

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial