Trojan.KillProc2.25012

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%y1s2fctrp3
%CommonProgramFiles%\microsoft shared\cum mzwpstr8n girls .mpeg.exe
%ProgramFiles%\dvd maker\shared\s2fkave 8ok6yf uncut 8bgkvshe1 .mpeg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\jxaglwti wep6b08 xxx hot (!) ejn547rbxhd1 .rar.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\gay uncut (gina,rdl1tfkz).mpeg.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\upfgetx ddqayq bq4kno .zip.exe
%ProgramFiles%\microsoft office\templates\s2fkave mnho9y54 apv53deiq9fw kfp2yqq (jenna,c4w8hqa).mpg.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\zc8giv9 ddqayq uncut 50+ (rdl1tfkz,liz).mpeg.exe
%ProgramFiles%\windows journal\templates\wep6b08 [bangbus] rv0y8n .avi.exe
%ProgramFiles%\windows sidebar\shared gadgets\f07qtt porn nude [milf] .zip.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\black 8ok6yf 8ok6yf nom72kl .rar.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\horse bd1l5ir sgu4m7oc (liz,cy4xpd).mpg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\black cum [milf] ae2sd7u4xh .avi.exe
%CommonProgramFiles(x86)%\microsoft shared\wpjwijv 7vepaqjm hole qq6w54yfhtqrbwcslg (rdl1tfkz).mpg.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\ikdyfwhy h93bklf l9hwcs7vvnphd9 .zip.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\s2fkave ddqayq h93bklf uncut (dehod0,sandy).zip.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\nom72kl 7nd83wovj [free] titts fishy (hyo87il,jade).avi.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\tsomq34 [bangbus] jxqgtp .avi.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\w6csjja14n1 wep6b08 [free] hole .avi.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\gzn4ud7e 8ok6yf hot (!) gh5b6gd7wrv (gina).avi.exe
%ALLUSERSPROFILE%\templates\fac71w2 8ok6yf hot (!) .mpg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\8ok6yf uncut latex .mpeg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\0287zh tsomq34 xakmpl l9hwcs7vvnphd9 mg9fvb2xk9 .zip.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\0287zh beast uncut young .mpg.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\4h1e2a346 w6csjja14n1 mnho9y54 big rv0y8n .zip.exe
%ALLUSERSPROFILE%\templates\ikdyfwhy epyxwn hole (dxocjwba).rar.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\z1qxwcd mnho9y54 xakmpl ihthd33 ash .mpeg.exe
C:\users\default\appdata\local\temp\horse ihthd33 lzxyhb7k .mpg.exe
C:\users\default\appdata\local\<INETFILES>\gzn4ud7e mzwpstr8n horse hot (!) feet ol6p1tua (c4w8hqa,karin).mpg.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\h93bklf big .avi.exe
C:\users\default\templates\gay uncut nmibe2 .avi.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\fac71w2 xxx w6csjja14n1 bq4kno .zip.exe
%TEMP%\asian lpcu5ai3 ihthd33 .rar.exe
%LOCALAPPDATA%\<INETFILES>\zc8giv9 tsomq34 [milf] boots .mpeg.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\horse 7nd83wovj [bangbus] glans .zip.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\0287zh horse vjq39c1gwy cock .rar.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\4h1e2a346 horse 7nd83wovj [milf] zn3tvn .avi.exe
%APPDATA%\microsoft\templates\0287zh nom72kl ddqayq big ash .zip.exe
%APPDATA%\microsoft\windows\templates\z9z7rwe 8ok6yf xxx hot (!) .mpeg.exe
%APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\mzwpstr8n 7nd83wovj sgu4m7oc .zip.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\s2fkave porn big young .mpg.exe
%HOMEPATH%\templates\asian ddqayq cum l9hwcs7vvnphd9 ae2sd7u4xh .avi.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\0287zh horse [bangbus] rv0y8n (sonja,karin).rar.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\lpcu5ai3 wep6b08 uncut 50+ (sarah).rar.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\asian bd1l5ir yzw1afy bq4kno .zip.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\upfgetx bd1l5ir hot (!) shoes .mpeg.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\gay [bangbus] .avi.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\gzn4ud7e w6csjja14n1 uncut jxqgtp mg9fvb2xk9 .rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\z9z7rwe xakmpl xxx [milf] .mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\bd1l5ir ihthd33 kfp2yqq 40+ (dehod0,c4w8hqa).mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\0287zh gay vjq39c1gwy balls .rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\lpcu5ai3 xakmpl [free] latex (g6u8n4r,c4w8hqa).rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\8r3baiec sperm hot (!) qx2j1b5 .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\ 7vepaqjm fishy (cy4xpd,sarah).mpg.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\ikdyfwhy wep6b08 [milf] .zip.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\4h1e2a346 mnho9y54 girls kfp2yqq 779mipj (sonja,hyo87il).rar.exe
%WINDIR%\assembly\temp\sperm apv53deiq9fw .rar.exe
%WINDIR%\assembly\tmp\horse cum uncut hairy (g6u8n4r,c4w8hqa).rar.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\eq7k2xcxt nude vjq39c1gwy .avi.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\7nd83wovj 7nd83wovj apv53deiq9fw ash .zip.exe
%WINDIR%\pla\templates\f1i7cm gay porn vjq39c1gwy cock wifey (karin).mpeg.exe
%WINDIR%\security\templates\fac71w2 nude yzw1afy [milf] 8bgkvshe1 .rar.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\8ok6yf epyxwn glans ash .rar.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\yzw1afy l9hwcs7vvnphd9 titts hotel .zip.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\porn big titts wifey .mpeg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\mnho9y54 [bangbus] glans .mpg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\mnho9y54 bq4kno (rdl1tfkz).mpg.exe
%WINDIR%\syswow64\config\systemprofile\f1i7cm nom72kl uncut titts sgoibhh .rar.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\4h1e2a346 lpcu5ai3 8ok6yf l9hwcs7vvnphd9 wifey .mpg.exe
%WINDIR%\syswow64\fxstmp\8r3baiec mzwpstr8n nom72kl l9hwcs7vvnphd9 8bgkvshe1 (jade).zip.exe
%WINDIR%\syswow64\ime\shared\8r3baiec w6csjja14n1 hot (!) hole (g6u8n4r).mpeg.exe
%WINDIR%\syswow64\config\systemprofile\7b6fhxi horse apv53deiq9fw .mpg.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\bd1l5ir [milf] ejn547rbxhd1 (jenna).zip.exe
%WINDIR%\syswow64\fxstmp\ddqayq hot (!) eigt45 (haj1oyikd).mpeg.exe
%WINDIR%\syswow64\ime\shared\ikdyfwhy tsomq34 bq4kno shoes .avi.exe
%WINDIR%\temp\z9z7rwe tsomq34 hot (!) .rar.exe
%WINDIR%\winsxs\installtemp\s2fkave sperm apv53deiq9fw rv0y8n .rar.exe
<Current directory>\sqjaed7r1vnw

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial