Trojan.KillProc2.24647

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%prea12ybq3
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\k1tlhzdf w5t8cu4 (opgr3as).avi.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\0nmwz7s horse uncut feet .zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\gay big .rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\peud38v 2yuliau w5t8cu4 3z6oda girly .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\k1tlhzdf cew2xnf4xc q4njwcdgux5bzomjnr .mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\ big feet 50+ .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\peud38v 5p4dftc vg2zgnq w5t8cu4 q4njwcdgux5bzomjnr (yeadrcq,sarah).mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\horse uncut wkdgiqz .zip.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\w5t8cu4 6hg4sl 7k78h5f (jenna,jade).avi.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\5i8wmj9 qfb04d7ux8iegf fatfulz (etc82zq,0wlc1ae).rar.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\dk4amn0 cum gay 3ikjnm4y .avi.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\tf1tq013 vegpvr k1tlhzdf 3z6oda n3mhrd7 .mpeg.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\vg2zgnq 3z6oda h41hy4cklkoue .mpg.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\sperm cew2xnf4xc 8j1qjf .zip.exe
%HOMEPATH%\templates\dxzg91nv3 porn w5t8cu4 f9kdqlk .mpeg.exe
%WINDIR%\assembly\temp\black horse 5i8wmj9 girls glans h41hy4cklkoue .mpg.exe
%WINDIR%\assembly\tmp\xxx qfb04d7ux8iegf .rar.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\dk4amn0 porn big .rar.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\peud38v yton2v horse 3ikjnm4y agl9tsu .rar.exe
%WINDIR%\syswow64\ime\shared\k1tlhzdf f9kdqlk glans hairy (2b0ay6o).mpeg.exe
%WINDIR%\syswow64\fxstmp\0nmwz7s 5p4dftc yo6djypsz 6hg4sl hole .mpeg.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\0nmwz7s porn horse [free] balls (sandy,4us7a95g).mpeg.exe
%WINDIR%\syswow64\config\systemprofile\yo6djypsz cew2xnf4xc .mpg.exe
%WINDIR%\syswow64\ime\shared\thw5cms3 porn sperm hot (!) vnm7bo .avi.exe
%WINDIR%\syswow64\fxstmp\tl1xg0d vg2zgnq a1swtsdhkhbf (4us7a95g).mpg.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\xxx [milf] .mpeg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\mvakgcwi uncut hotel .avi.exe
%WINDIR%\syswow64\config\systemprofile\gay snidyfph oltmowd (f56rj0,opgr3as).zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\xxx [bangbus] (opgr3as).mpg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\z7qips porn beast snidyfph 1wyga12mzc .mpg.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\ a1swtsdhkhbf glans (yeadrcq,liz).avi.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\w5t8cu4 3z6oda 0vzq1yfv .rar.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\z7qips porn xxx big (2b0ay6o).rar.exe
%WINDIR%\security\templates\0nmwz7s 5p4dftc w5t8cu4 hot (!) cock 1wyga12mzc .mpeg.exe
%WINDIR%\pla\templates\w5t8cu4 3ikjnm4y feet .mpeg.exe
%WINDIR%\temp\horse 3z6oda .mpg.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\k1tlhzdf 6hg4sl lady .zip.exe
%APPDATA%\microsoft\windows\templates\tf1tq013 vegpvr sperm snidyfph titts boots (opgr3as).rar.exe
%APPDATA%\microsoft\templates\mvakgcwi uncut balls .mpeg.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\thw5cms3 2yuliau 5i8wmj9 a1swtsdhkhbf cock sm .mpg.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\beast snidyfph agl9tsu .rar.exe
%CommonProgramFiles(x86)%\microsoft shared\ 3ikjnm4y (4us7a95g).zip.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\xxx 6hg4sl hole fcksd0samk (liz).rar.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\tf1tq013 etorvhr vg2zgnq cew2xnf4xc hairy .rar.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\k1tlhzdf uncut .mpeg.exe
%ProgramFiles%\windows sidebar\shared gadgets\dk4amn0 yton2v sperm w5t8cu4 feet ash .rar.exe
%ProgramFiles%\windows journal\templates\ktrosnb porn gay f9kdqlk .avi.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\thw5cms3 porn horse f9kdqlk feet .zip.exe
%ProgramFiles%\microsoft office\templates\black abj24u sperm w5t8cu4 lady .rar.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\xxx f9kdqlk (karin).zip.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\w5t8cu4 cew2xnf4xc hole .zip.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\0nmwz7s yton2v sperm [milf] .avi.exe
%ProgramFiles%\dvd maker\shared\k1tlhzdf 6hg4sl (0wlc1ae).rar.exe
%CommonProgramFiles%\microsoft shared\dk4amn0 etorvhr gay big hole .zip.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\z7qips horse sperm a1swtsdhkhbf .rar.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\tf1tq013 abj24u vg2zgnq 3ikjnm4y ash (sonja,rhpa1v).avi.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\ktrosnb obd4vccp8 5i8wmj9 girls (0wlc1ae).rar.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\sperm uncut wxpokr .mpg.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\dk4amn0 cum k1tlhzdf uncut .mpeg.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\ktrosnb vyfkljc16kq xxx uncut .avi.exe
%LOCALAPPDATA%\<INETFILES>\z7qips yton2v vg2zgnq [bangbus] sm .avi.exe
%TEMP%\ktrosnb abj24u 5i8wmj9 qfb04d7ux8iegf (sarah).mpeg.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\ktrosnb horse sperm uncut .mpeg.exe
C:\users\default\templates\black 2yuliau horse [milf] lady .mpeg.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\black 5p4dftc sperm uncut .zip.exe
C:\users\default\appdata\local\temp\yhfjge yton2v xxx [free] lady .mpeg.exe
C:\users\default\appdata\local\<INETFILES>\ [free] oltmowd .avi.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\yhfjge horse 3ikjnm4y oltmowd .mpg.exe
%ALLUSERSPROFILE%\templates\thw5cms3 2yuliau mvakgcwi girls z9ay2h .rar.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\0nmwz7s cum yo6djypsz snidyfph cock wifey .avi.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\ktrosnb abj24u horse cew2xnf4xc vkwhqow .rar.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\black nude k1tlhzdf hot (!) wxpokr .zip.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\0nmwz7s etorvhr w5t8cu4 uncut ash .mpeg.exe
%ALLUSERSPROFILE%\templates\ktrosnb vyfkljc16kq gay f9kdqlk feet 3fzhiwoxgra .zip.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\dxzg91nv3 5p4dftc beast a1swtsdhkhbf .rar.exe
%WINDIR%\winsxs\installtemp\qjsuuj51 5i8wmj9 uncut upfukdp8 (ct00vwxo,liz).mpeg.exe

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial