Trojan.KillProc2.25011

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%y1s2fctrp3
%CommonProgramFiles%\microsoft shared\gay girls titts (jenna,dxocjwba).zip.exe
%ProgramFiles%\dvd maker\shared\lpcu5ai3 epyxwn wifey (rdl1tfkz,karin).mpg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\z9z7rwe horse ihthd33 sm .rar.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\z9z7rwe xakmpl gay [milf] (sarah).avi.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\black wep6b08 horse sgu4m7oc girly (hyo87il,sarah).zip.exe
%ProgramFiles%\microsoft office\templates\gzn4ud7e nude yzw1afy ihthd33 (c4w8hqa).avi.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\tsomq34 girls feet gsva2xn .zip.exe
%ProgramFiles%\windows journal\templates\gzn4ud7e ddqayq mzwpstr8n [bangbus] .mpg.exe
%ProgramFiles%\windows sidebar\shared gadgets\s2fkave xakmpl yzw1afy bq4kno .avi.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\f07qtt wep6b08 nom72kl uncut lzxyhb7k .rar.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\nom72kl bq4kno ejn547rbxhd1 (dehod0,dxocjwba).zip.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\z9z7rwe cum lpcu5ai3 [free] ol6p1tua .avi.exe
%CommonProgramFiles(x86)%\microsoft shared\z9z7rwe nude horse [free] .avi.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\fac71w2 h93bklf mzwpstr8n hot (!) young .rar.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\beast hot (!) cock .mpg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\z9z7rwe nude mnho9y54 [milf] (liz).mpeg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\s2fkave 8ok6yf sperm sgu4m7oc .rar.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\fac71w2 nude mzwpstr8n uncut latex .zip.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\nom72kl epyxwn feet wifey .mpeg.exe
%ALLUSERSPROFILE%\templates\xxx [free] lzxyhb7k (sonja,cy4xpd).zip.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\f1i7cm h93bklf beast bq4kno titts mg9fvb2xk9 .mpeg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\f1i7cm nude ihthd33 779mipj .rar.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\f1i7cm 7nd83wovj [bangbus] .rar.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\fac71w2 7nd83wovj yzw1afy epyxwn ash .zip.exe
%ALLUSERSPROFILE%\templates\s2fkave xakmpl lpcu5ai3 uncut 779mipj .mpg.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\f07qtt 7nd83wovj gay epyxwn feet .rar.exe
C:\users\default\appdata\local\temp\gzn4ud7e nude mzwpstr8n vjq39c1gwy young .rar.exe
C:\users\default\appdata\local\<INETFILES>\tsomq34 girls mg9fvb2xk9 .avi.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\black xakmpl mzwpstr8n sgu4m7oc hole rv0y8n (g6u8n4r).mpg.exe
C:\users\default\templates\mnho9y54 [bangbus] titts balls (jade).mpg.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\z9z7rwe wep6b08 lpcu5ai3 [free] (g6u8n4r).mpeg.exe
%TEMP%\tsomq34 nom72kl hole sm .mpg.exe
%LOCALAPPDATA%\<INETFILES>\gzn4ud7e 7nd83wovj ihthd33 titts wifey (dxocjwba).mpeg.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\z9z7rwe wep6b08 horse apv53deiq9fw (sarah).rar.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\upfgetx ddqayq mzwpstr8n ihthd33 .mpeg.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\upfgetx bd1l5ir mzwpstr8n [bangbus] lady .avi.exe
%APPDATA%\microsoft\templates\8r3baiec ddqayq lpcu5ai3 [milf] cock gh5b6gd7wrv .avi.exe
%APPDATA%\microsoft\windows\templates\8r3baiec 8ok6yf gay epyxwn .rar.exe
%APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\sperm hot (!) titts balls .mpg.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\f07qtt xakmpl horse nom72kl titts js80j73 (g6u8n4r).zip.exe
%HOMEPATH%\templates\tsomq34 apv53deiq9fw hole hotel .mpg.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\s2fkave wep6b08 lpcu5ai3 girls glans .avi.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\f1i7cm nude tsomq34 epyxwn .mpeg.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\s2fkave nude beast big sm .zip.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\horse l9hwcs7vvnphd9 cock balls (cy4xpd).mpeg.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\mnho9y54 girls hairy .mpeg.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\mzwpstr8n sgu4m7oc cock latex (karin).zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\8r3baiec h93bklf tsomq34 nom72kl .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\s2fkave bd1l5ir sperm uncut feet zn3tvn (jade).mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\eq7k2xcxt wep6b08 lpcu5ai3 sgu4m7oc (liz).mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\lpcu5ai3 epyxwn feet .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\tsomq34 ihthd33 nmibe2 .zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\beast uncut gh5b6gd7wrv .mpeg.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\sperm l9hwcs7vvnphd9 hotel .mpg.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\nom72kl [milf] fishy .mpeg.exe
%WINDIR%\assembly\temp\gzn4ud7e h93bklf tsomq34 girls girly .avi.exe
%WINDIR%\assembly\tmp\s2fkave cum sperm hot (!) hole mg9fvb2xk9 .rar.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\yzw1afy l9hwcs7vvnphd9 mg9fvb2xk9 .rar.exe
%WINDIR%\pla\templates\f1i7cm 7nd83wovj mnho9y54 [free] .rar.exe
%WINDIR%\security\templates\fac71w2 wep6b08 mnho9y54 vjq39c1gwy cock sweet .zip.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\xxx [bangbus] .mpeg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\z9z7rwe ddqayq mnho9y54 [bangbus] titts ae2sd7u4xh (jade).zip.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\gay uncut glans boots .zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\ big glans wifey .zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\mnho9y54 l9hwcs7vvnphd9 gh5b6gd7wrv .rar.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\8r3baiec cum mnho9y54 uncut latex .rar.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\f1i7cm h93bklf tsomq34 apv53deiq9fw cock nrb42wq .mpeg.exe
%WINDIR%\syswow64\fxstmp\w6csjja14n1 lpcu5ai3 l9hwcs7vvnphd9 sweet .avi.exe
%WINDIR%\syswow64\ime\shared\beast 7vepaqjm cock .zip.exe
%WINDIR%\syswow64\config\systemprofile\nom72kl girls ejn547rbxhd1 (hyo87il,y8oxsqa).rar.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\fac71w2 horse tsomq34 ihthd33 .mpg.exe
%WINDIR%\syswow64\fxstmp\eq7k2xcxt 8ok6yf mnho9y54 hot (!) feet .mpg.exe
%WINDIR%\syswow64\ime\shared\f07qtt ddqayq sperm apv53deiq9fw zmc8ujp .zip.exe
%WINDIR%\temp\f1i7cm 7nd83wovj tsomq34 girls .zip.exe
%WINDIR%\winsxs\installtemp\viaz50 tsomq34 ihthd33 zn3tvn .mpg.exe
<Current directory>\sqjaed7r1vnw

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial