Trojan.KillProc2.25017

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%y1s2fctrp3
%CommonProgramFiles%\microsoft shared\beast epyxwn feet boots .avi.exe
%ProgramFiles%\dvd maker\shared\f1i7cm xakmpl yzw1afy [bangbus] hole girly (karin).avi.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\upfgetx porn gay big titts 40+ (karin).rar.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\xxx epyxwn .rar.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\gay l9hwcs7vvnphd9 cock js80j73 (sarah).avi.exe
%ProgramFiles%\microsoft office\templates\8r3baiec ddqayq mzwpstr8n bq4kno lzxyhb7k .avi.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\f1i7cm ddqayq xxx [bangbus] titts eigt45 .avi.exe
%ProgramFiles%\windows journal\templates\lpcu5ai3 big gh5b6gd7wrv (36mho73,g6u8n4r).rar.exe
%ProgramFiles%\windows sidebar\shared gadgets\8r3baiec xakmpl nom72kl nom72kl (cy4xpd).mpeg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\yzw1afy ihthd33 6tl9zg0uqa .mpeg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\beast bq4kno .mpg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\xxx sgu4m7oc (2hbt8wr).avi.exe
%CommonProgramFiles(x86)%\microsoft shared\ 7vepaqjm glans .rar.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\eq7k2xcxt ddqayq sperm uncut cock (jenna,liz).mpg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\ 7vepaqjm feet fishy .rar.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\mzwpstr8n [milf] hole balls .rar.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\gay vjq39c1gwy hole .rar.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\s2fkave cum nom72kl lzxyhb7k .mpg.exe
%ALLUSERSPROFILE%\templates\8r3baiec horse xxx hot (!) 8pfmdyy (haj1oyikd,dxocjwba).mpeg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\ ihthd33 hairy (rdl1tfkz,c4w8hqa).zip.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\yzw1afy [milf] (y8oxsqa).zip.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\yzw1afy ihthd33 (karin).mpeg.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\gay [free] (dxocjwba).mpg.exe
%ALLUSERSPROFILE%\templates\gzn4ud7e 7nd83wovj lpcu5ai3 sgu4m7oc 8pfmdyy .avi.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\8r3baiec 8ok6yf mnho9y54 l9hwcs7vvnphd9 .mpg.exe
C:\users\default\appdata\local\temp\gzn4ud7e bd1l5ir nom72kl nom72kl (sarah).avi.exe
C:\users\default\appdata\local\<INETFILES>\s2fkave w6csjja14n1 7vepaqjm cock gh5b6gd7wrv .zip.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\z9z7rwe ddqayq gay uncut hotel .avi.exe
C:\users\default\templates\horse uncut feet girly .zip.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\s2fkave cum xxx [free] cock shoes .avi.exe
%TEMP%\s2fkave h93bklf beast hot (!) nmibe2 .rar.exe
%LOCALAPPDATA%\<INETFILES>\fac71w2 horse horse [free] feet rv0y8n .mpg.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\gay nom72kl gsva2xn .mpg.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\yzw1afy [free] titts zn3tvn .rar.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\upfgetx porn nom72kl sgu4m7oc rv0y8n .zip.exe
%APPDATA%\microsoft\templates\upfgetx nude lpcu5ai3 sgu4m7oc cock sgoibhh .zip.exe
%APPDATA%\microsoft\windows\templates\mzwpstr8n l9hwcs7vvnphd9 .mpg.exe
%APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\black xakmpl nom72kl ihthd33 feet mg9fvb2xk9 .zip.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\s2fkave bd1l5ir tsomq34 [free] ol6p1tua .mpg.exe
%HOMEPATH%\templates\upfgetx xakmpl 7vepaqjm feet (sonja,g6u8n4r).rar.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\xxx girls gsva2xn .avi.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\gay l9hwcs7vvnphd9 titts .avi.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\upfgetx 8ok6yf yzw1afy [bangbus] ejn547rbxhd1 .mpeg.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\f07qtt 8ok6yf nom72kl gsva2xn (sandy,g6u8n4r).mpeg.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\8r3baiec w6csjja14n1 tsomq34 nom72kl 40+ .avi.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\beast ihthd33 .mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\mnho9y54 bq4kno .rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\sperm ihthd33 zmc8ujp .zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\z9z7rwe bd1l5ir yzw1afy apv53deiq9fw shoes .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\tsomq34 nom72kl feet .mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\f07qtt porn tsomq34 [free] titts 50+ .rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\8r3baiec nude beast 7vepaqjm glans zmc8ujp .avi.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\eq7k2xcxt horse lpcu5ai3 hot (!) gh5b6gd7wrv .zip.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\s2fkave horse gay girls glans .mpeg.exe
%WINDIR%\assembly\temp\f1i7cm horse yzw1afy hot (!) .avi.exe
%WINDIR%\assembly\tmp\fac71w2 8ok6yf beast 7vepaqjm (liz).mpeg.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\f1i7cm porn yzw1afy uncut (2hbt8wr).mpg.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\sperm big feet .rar.exe
%WINDIR%\pla\templates\fac71w2 porn tsomq34 vjq39c1gwy .mpeg.exe
%WINDIR%\security\templates\mzwpstr8n 7vepaqjm titts .mpg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\black bd1l5ir mnho9y54 epyxwn latex .avi.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\f07qtt horse tsomq34 ihthd33 (karin).zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\gay uncut sgoibhh (hyo87il,dxocjwba).mpg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\8r3baiec porn mzwpstr8n girls hole b37oavmx289 .mpg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\ apv53deiq9fw balls .avi.exe
%WINDIR%\syswow64\config\systemprofile\8r3baiec 8ok6yf tsomq34 [bangbus] .avi.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\s2fkave ddqayq girls balls .zip.exe
%WINDIR%\syswow64\fxstmp\h93bklf ihthd33 (2hbt8wr).avi.exe
%WINDIR%\syswow64\ime\shared\gay [milf] cock hairy .zip.exe
%WINDIR%\syswow64\config\systemprofile\8r3baiec bd1l5ir horse 7vepaqjm (jade).avi.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\sperm hot (!) gsva2xn .mpeg.exe
%WINDIR%\syswow64\fxstmp\black horse tsomq34 uncut ash .rar.exe
%WINDIR%\syswow64\ime\shared\f07qtt w6csjja14n1 tsomq34 uncut feet zn3tvn (sarah).avi.exe
%WINDIR%\temp\horse vjq39c1gwy 50+ .rar.exe
<Current directory>\sqjaed7r1vnw

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial