Trojan.KillProc2.24993

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%y1s2fctrp3
%CommonProgramFiles%\microsoft shared\nude 8ok6yf vjq39c1gwy boobs .avi.exe
%ProgramFiles%\dvd maker\shared\viaz50 xxx xxx 7vepaqjm hotel .avi.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\beast mzwpstr8n apv53deiq9fw glans 8bgkvshe1 .mpeg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\h93bklf horse epyxwn hole boots .zip.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\fac71w2 mzwpstr8n wep6b08 [bangbus] kfp2yqq young .rar.exe
%ProgramFiles%\microsoft office\templates\ikdyfwhy wep6b08 cum uncut balls .avi.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\sperm girls .zip.exe
%ProgramFiles%\windows journal\templates\eq7k2xcxt xakmpl nude nom72kl 50+ .avi.exe
%ProgramFiles%\windows sidebar\shared gadgets\wep6b08 [milf] zn3tvn .mpeg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\4h1e2a346 8ok6yf 7nd83wovj nom72kl 6tl9zg0uqa .mpeg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\8r3baiec h93bklf porn big jxqgtp .mpg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\7nd83wovj gay hot (!) boobs 50+ .zip.exe
%CommonProgramFiles(x86)%\microsoft shared\beast beast uncut .mpg.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\f07qtt xxx bd1l5ir uncut sm (g6u8n4r,dxocjwba).mpeg.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\bd1l5ir vjq39c1gwy glans .avi.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\wep6b08 horse girls (gina).rar.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\gzn4ud7e bd1l5ir sperm [milf] (36mho73).avi.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\ikdyfwhy ddqayq girls kfp2yqq qx2j1b5 .mpg.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\viaz50 porn bq4kno .avi.exe
%ALLUSERSPROFILE%\templates\7nd83wovj 7nd83wovj girls b37oavmx289 .mpeg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\viaz50 bd1l5ir horse nom72kl nrb42wq .avi.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\8r3baiec nom72kl yzw1afy bq4kno eigt45 .zip.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\yzw1afy w6csjja14n1 uncut boobs 8pfmdyy (g6u8n4r).rar.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\sperm nude 7vepaqjm cock eigt45 (karin,g6u8n4r).rar.exe
%ALLUSERSPROFILE%\templates\0287zh ddqayq big zn3tvn .zip.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\wpjwijv ddqayq sgu4m7oc .mpg.exe
C:\users\default\appdata\local\temp\upfgetx ddqayq nom72kl lady .avi.exe
C:\users\default\appdata\local\<INETFILES>\gay xxx apv53deiq9fw feet .avi.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\xakmpl mnho9y54 bq4kno 50+ (36mho73).zip.exe
C:\users\default\templates\wpjwijv yzw1afy hot (!) kfp2yqq girly .avi.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\bd1l5ir [milf] .avi.exe
%TEMP%\yzw1afy bd1l5ir [milf] cock hotel .rar.exe
%LOCALAPPDATA%\<INETFILES>\ horse l9hwcs7vvnphd9 ash .avi.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\porn h93bklf [bangbus] balls (gina).mpeg.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\nom72kl uncut (liz,sonja).avi.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\4h1e2a346 nom72kl ddqayq hot (!) eigt45 .rar.exe
%APPDATA%\microsoft\templates\bd1l5ir horse ihthd33 b37oavmx289 (jade).avi.exe
%APPDATA%\microsoft\windows\templates\black mnho9y54 horse [bangbus] .rar.exe
%APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\fac71w2 xakmpl hot (!) (g6u8n4r,dxocjwba).mpg.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\wpjwijv 7nd83wovj 7nd83wovj sgu4m7oc feet .zip.exe
%HOMEPATH%\templates\7b6fhxi sperm hot (!) gh5b6gd7wrv .zip.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\fac71w2 nude vjq39c1gwy zmc8ujp (rdl1tfkz,jade).mpeg.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\cum epyxwn boobs .avi.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\7nd83wovj sgu4m7oc girly .zip.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\mnho9y54 ddqayq bq4kno feet qx2j1b5 (liz).rar.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\horse gay epyxwn 50+ .mpeg.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\jxaglwti sperm ddqayq ihthd33 .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\gay mzwpstr8n [bangbus] 779mipj .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\7b6fhxi lpcu5ai3 xakmpl [milf] b37oavmx289 .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\beast horse apv53deiq9fw zn3tvn .zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\ikdyfwhy wep6b08 cum epyxwn .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\lpcu5ai3 tsomq34 ihthd33 (haj1oyikd,dehod0).mpeg.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\jxaglwti gay girls (haj1oyikd).avi.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\eq7k2xcxt nom72kl yzw1afy 7vepaqjm (sonja,sandy).avi.exe
%WINDIR%\assembly\temp\s2fkave horse [free] glans .zip.exe
%WINDIR%\assembly\tmp\wpjwijv lpcu5ai3 nom72kl kfp2yqq .mpg.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\w6csjja14n1 7vepaqjm .zip.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\nom72kl yzw1afy hot (!) 40+ .zip.exe
%WINDIR%\pla\templates\asian 8ok6yf gay girls feet (36mho73,jenna).zip.exe
%WINDIR%\security\templates\ikdyfwhy mzwpstr8n sgu4m7oc cock gh5b6gd7wrv (2hbt8wr,jade).mpeg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\yzw1afy ddqayq l9hwcs7vvnphd9 hole ae2sd7u4xh .avi.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\4h1e2a346 wep6b08 apv53deiq9fw (jade,c4w8hqa).zip.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\viaz50 mnho9y54 bd1l5ir l9hwcs7vvnphd9 fishy .zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\xakmpl cum bq4kno .mpg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\f1i7cm xakmpl l9hwcs7vvnphd9 hole zmc8ujp .mpeg.exe
%WINDIR%\syswow64\config\systemprofile\z1qxwcd [free] boots .rar.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\black 7nd83wovj bd1l5ir [free] balls .mpeg.exe
%WINDIR%\syswow64\fxstmp\mnho9y54 l9hwcs7vvnphd9 779mipj .avi.exe
%WINDIR%\syswow64\ime\shared\ikdyfwhy ddqayq epyxwn sweet .avi.exe
%WINDIR%\syswow64\config\systemprofile\8r3baiec cum ihthd33 nmibe2 .zip.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\f07qtt lpcu5ai3 nude ihthd33 js80j73 .rar.exe
%WINDIR%\syswow64\fxstmp\z9z7rwe sperm epyxwn legs ash .zip.exe
%WINDIR%\syswow64\ime\shared\z1qxwcd h93bklf apv53deiq9fw cock (jenna,jade).zip.exe
%WINDIR%\temp\nom72kl sgu4m7oc shoes .mpg.exe
%WINDIR%\winsxs\installtemp\fac71w2 gay [milf] balls .rar.exe
<Current directory>\sqjaed7r1vnw

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial