Trojan.KillProc2.24983

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%y1s2fctrp3
%CommonProgramFiles%\microsoft shared\f1i7cm 8ok6yf gay [milf] b37oavmx289 .mpg.exe
%ProgramFiles%\dvd maker\shared\upfgetx xakmpl porn [free] .mpeg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\7b6fhxi xxx vjq39c1gwy sgoibhh (hyo87il,sonja).mpg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\wpjwijv bd1l5ir bq4kno ae2sd7u4xh (rdl1tfkz,haj1oyikd).rar.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\f07qtt lpcu5ai3 ddqayq epyxwn (liz,rdl1tfkz).avi.exe
%ProgramFiles%\microsoft office\templates\h93bklf lpcu5ai3 bq4kno .rar.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\jxaglwti w6csjja14n1 h93bklf apv53deiq9fw 8bgkvshe1 .rar.exe
%ProgramFiles%\windows journal\templates\ikdyfwhy bd1l5ir girls hairy .rar.exe
%ProgramFiles%\windows sidebar\shared gadgets\beast 7nd83wovj uncut .mpg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\4h1e2a346 h93bklf ddqayq ihthd33 .mpeg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\tsomq34 nom72kl [free] jxqgtp sm .mpg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\cum ihthd33 js80j73 .mpg.exe
%CommonProgramFiles(x86)%\microsoft shared\viaz50 xxx 7vepaqjm nmibe2 (y8oxsqa,36mho73).zip.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\xakmpl porn bq4kno balls .mpg.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\fac71w2 h93bklf [milf] .zip.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\jxaglwti beast horse 7vepaqjm jxqgtp (sarah,cy4xpd).rar.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\f07qtt xxx l9hwcs7vvnphd9 .mpg.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\f1i7cm gay yzw1afy [bangbus] jxqgtp hotel .avi.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\mzwpstr8n 8ok6yf bq4kno 6tl9zg0uqa .mpeg.exe
%ALLUSERSPROFILE%\templates\cum [free] cock .rar.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\xakmpl tsomq34 sgu4m7oc rv0y8n .avi.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\4h1e2a346 8ok6yf cum girls sm .mpeg.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\z1qxwcd 7nd83wovj beast [milf] .mpg.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\gay bd1l5ir ihthd33 ash sm .rar.exe
%ALLUSERSPROFILE%\templates\yzw1afy bq4kno 779mipj .mpg.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\fac71w2 xxx bq4kno jxqgtp .mpg.exe
C:\users\default\appdata\local\temp\black yzw1afy xakmpl bq4kno hotel .rar.exe
C:\users\default\appdata\local\<INETFILES>\bd1l5ir xxx sgu4m7oc titts .rar.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\gay bd1l5ir sgu4m7oc rv0y8n .zip.exe
C:\users\default\templates\s2fkave h93bklf wep6b08 big jxqgtp .mpg.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\f07qtt horse uncut boobs lady .zip.exe
%TEMP%\wpjwijv bd1l5ir ihthd33 fishy .avi.exe
%LOCALAPPDATA%\<INETFILES>\mzwpstr8n horse epyxwn ae2sd7u4xh .mpg.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\viaz50 mnho9y54 hot (!) boobs ejn547rbxhd1 .zip.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\cum vjq39c1gwy titts .mpg.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\horse epyxwn ejn547rbxhd1 .mpeg.exe
%APPDATA%\microsoft\templates\fac71w2 porn mzwpstr8n sgu4m7oc .rar.exe
%APPDATA%\microsoft\windows\templates\xakmpl horse epyxwn .avi.exe
%APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\horse nude apv53deiq9fw .mpg.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\zc8giv9 bd1l5ir mzwpstr8n 7vepaqjm 8pfmdyy .rar.exe
%HOMEPATH%\templates\7b6fhxi lpcu5ai3 bq4kno young .rar.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\7b6fhxi ddqayq w6csjja14n1 hot (!) balls (jenna,jenna).rar.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\black nom72kl w6csjja14n1 bq4kno glans zmc8ujp .rar.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\f07qtt h93bklf 7vepaqjm mg9fvb2xk9 .zip.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\bd1l5ir lpcu5ai3 uncut .avi.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\horse [milf] titts sm (karin,rdl1tfkz).avi.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\jxaglwti porn bd1l5ir uncut mg9fvb2xk9 .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\4h1e2a346 w6csjja14n1 7vepaqjm kfp2yqq hotel .rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\gzn4ud7e gay xxx ihthd33 ejn547rbxhd1 .mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\upfgetx nude lpcu5ai3 apv53deiq9fw sweet (dehod0).zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\xxx h93bklf girls jxqgtp .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\8ok6yf girls feet zn3tvn .zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\4h1e2a346 bd1l5ir 7nd83wovj uncut ash .mpg.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\nude vjq39c1gwy legs (haj1oyikd,rdl1tfkz).rar.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\s2fkave xxx beast l9hwcs7vvnphd9 .avi.exe
%WINDIR%\assembly\temp\h93bklf horse hot (!) .avi.exe
%WINDIR%\assembly\tmp\viaz50 horse girls (jenna,sonja).zip.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\porn [milf] sm .rar.exe
%WINDIR%\pla\templates\xxx 8ok6yf sgu4m7oc ash .zip.exe
%WINDIR%\security\templates\gay 7vepaqjm hole (sonja,karin).mpeg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\z9z7rwe bd1l5ir sgu4m7oc (cy4xpd,jade).mpg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\viaz50 8ok6yf gay sgu4m7oc feet 50+ .avi.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\jxaglwti h93bklf h93bklf sgu4m7oc .avi.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\s2fkave bd1l5ir xxx [free] hole rv0y8n (rdl1tfkz,gina).avi.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\beast mnho9y54 [free] boots (dehod0).zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\eq7k2xcxt horse gay [bangbus] lzxyhb7k (jade,sandy).mpeg.exe
%WINDIR%\syswow64\config\systemprofile\yzw1afy big nmibe2 .mpg.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\asian w6csjja14n1 big 8pfmdyy .zip.exe
%WINDIR%\syswow64\fxstmp\nom72kl beast bq4kno boobs .mpeg.exe
%WINDIR%\syswow64\ime\shared\0287zh beast hot (!) 8pfmdyy (sarah,dxocjwba).avi.exe
%WINDIR%\syswow64\config\systemprofile\wpjwijv yzw1afy mnho9y54 epyxwn legs (jade,2hbt8wr).rar.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\7nd83wovj bq4kno glans fishy (hyo87il,sonja).mpeg.exe
%WINDIR%\syswow64\fxstmp\xxx [milf] (g6u8n4r).mpeg.exe
%WINDIR%\syswow64\ime\shared\8r3baiec nom72kl [bangbus] lzxyhb7k (jenna,karin).mpg.exe
%WINDIR%\temp\horse ddqayq [milf] rv0y8n .zip.exe

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial