Trojan.KillProc2.24994

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%y1s2fctrp3
%CommonProgramFiles%\microsoft shared\wep6b08 mnho9y54 epyxwn sweet .mpeg.exe
%ProgramFiles%\dvd maker\shared\z1qxwcd w6csjja14n1 vjq39c1gwy .zip.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\f1i7cm horse big 6tl9zg0uqa .rar.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\mzwpstr8n l9hwcs7vvnphd9 6tl9zg0uqa .rar.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\mnho9y54 uncut .avi.exe
%ProgramFiles%\microsoft office\templates\viaz50 7nd83wovj [milf] 8bgkvshe1 (dehod0).avi.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\horse lpcu5ai3 [free] (rdl1tfkz,2hbt8wr).mpg.exe
%ProgramFiles%\windows journal\templates\7nd83wovj [free] hotel .rar.exe
%ProgramFiles%\windows sidebar\shared gadgets\f1i7cm h93bklf [free] .mpg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\tsomq34 apv53deiq9fw zn3tvn (rdl1tfkz).zip.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\lpcu5ai3 [milf] kfp2yqq zn3tvn (dehod0,c4w8hqa).avi.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\h93bklf beast apv53deiq9fw .zip.exe
%CommonProgramFiles(x86)%\microsoft shared\bd1l5ir l9hwcs7vvnphd9 .mpg.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\nude beast [milf] hole (36mho73).zip.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\upfgetx porn nom72kl 7vepaqjm qx2j1b5 (karin).rar.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\ikdyfwhy mzwpstr8n 8ok6yf 7vepaqjm glans .rar.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\gay [free] feet ol6p1tua .zip.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\z1qxwcd bd1l5ir nom72kl uncut hole nmibe2 .mpeg.exe
%ALLUSERSPROFILE%\templates\w6csjja14n1 vjq39c1gwy feet boots (2hbt8wr).mpeg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\zc8giv9 cum [free] latex (sarah).avi.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\wpjwijv xxx 7nd83wovj vjq39c1gwy .mpg.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\s2fkave ddqayq girls 50+ .mpeg.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\gay sgu4m7oc .mpeg.exe
%ALLUSERSPROFILE%\templates\s2fkave sperm nom72kl uncut fishy .avi.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\w6csjja14n1 vjq39c1gwy hairy .zip.exe
C:\users\default\appdata\local\temp\8ok6yf [free] rv0y8n (dxocjwba).mpeg.exe
C:\users\default\appdata\local\<INETFILES>\ikdyfwhy gay nom72kl l9hwcs7vvnphd9 rv0y8n (gina,dxocjwba).mpeg.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\horse bd1l5ir apv53deiq9fw nrb42wq .zip.exe
C:\users\default\templates\ mzwpstr8n sgu4m7oc jxqgtp qx2j1b5 .mpeg.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\jxaglwti tsomq34 xxx [milf] .zip.exe
%TEMP%\ikdyfwhy horse nom72kl l9hwcs7vvnphd9 .zip.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\8r3baiec w6csjja14n1 nom72kl (c4w8hqa,jenna).rar.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\yzw1afy [bangbus] (36mho73).mpg.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\sperm [milf] qq6w54yfhtqrbwcslg (sonja).mpg.exe
%APPDATA%\microsoft\templates\asian sperm l9hwcs7vvnphd9 (2hbt8wr,c4w8hqa).mpeg.exe
%APPDATA%\microsoft\windows\templates\nude horse [milf] nmibe2 (haj1oyikd,jenna).zip.exe
%APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\w6csjja14n1 girls cock .rar.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\7nd83wovj ihthd33 hotel (sonja).rar.exe
%HOMEPATH%\templates\7nd83wovj big .rar.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\f07qtt beast sgu4m7oc legs rv0y8n .avi.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\ikdyfwhy ddqayq sgu4m7oc .mpeg.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\beast sgu4m7oc feet 8pfmdyy (y8oxsqa).rar.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\s2fkave gay mzwpstr8n uncut .mpg.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\0287zh sperm wep6b08 uncut ash .mpeg.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\eq7k2xcxt w6csjja14n1 mnho9y54 big fw58kpr41ob1w (gina).rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\z9z7rwe nude vjq39c1gwy .mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\ nom72kl hotel .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\bd1l5ir girls boots .zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\s2fkave 7nd83wovj h93bklf uncut 6tl9zg0uqa .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\f1i7cm cum vjq39c1gwy boobs .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\nude [free] ol6p1tua .rar.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\gzn4ud7e ddqayq ihthd33 hole .zip.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\ bq4kno 40+ .avi.exe
%WINDIR%\assembly\temp\upfgetx gay uncut ae2sd7u4xh .avi.exe
%WINDIR%\assembly\tmp\nom72kl big 50+ .mpeg.exe

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial