Trojan.KillProc2.27915

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%y1s2fctrp3
%CommonProgramFiles%\microsoft shared\beast hot (!) 8bgkvshe1 .mpeg.exe
%ProgramFiles%\dvd maker\shared\ikdyfwhy w6csjja14n1 big fishy .rar.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\ddqayq nom72kl mg9fvb2xk9 .mpeg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\nude horse ihthd33 wifey .rar.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\gay apv53deiq9fw .avi.exe
%ProgramFiles%\microsoft office\templates\sperm bq4kno hole zmc8ujp .mpg.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\w6csjja14n1 bd1l5ir sgu4m7oc ash ash (jade).zip.exe
%ProgramFiles%\windows journal\templates\sperm [free] sgoibhh (karin,gina).rar.exe
%ProgramFiles%\windows sidebar\shared gadgets\7b6fhxi porn porn [free] legs fw58kpr41ob1w .avi.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\horse sgu4m7oc .rar.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\sperm ihthd33 legs .rar.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\xxx mnho9y54 nom72kl hotel .mpeg.exe
%CommonProgramFiles(x86)%\microsoft shared\f1i7cm lpcu5ai3 sgu4m7oc boots .zip.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\yzw1afy bq4kno hotel (g6u8n4r).rar.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\xakmpl big .avi.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\ddqayq big hairy .mpeg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\xakmpl bq4kno ejn547rbxhd1 .mpeg.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\z9z7rwe mzwpstr8n vjq39c1gwy .avi.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\ikdyfwhy 7nd83wovj vjq39c1gwy glans .mpg.exe
%ALLUSERSPROFILE%\templates\ikdyfwhy wep6b08 epyxwn hole nmibe2 .mpeg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\f1i7cm beast vjq39c1gwy boots .mpg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\nude uncut ash .mpg.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\horse [free] .zip.exe
%ALLUSERSPROFILE%\templates\zc8giv9 sperm mzwpstr8n [bangbus] legs boots .avi.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\eq7k2xcxt bd1l5ir 7vepaqjm ae2sd7u4xh .mpg.exe
C:\users\default\appdata\local\temp\ddqayq epyxwn mg9fvb2xk9 .mpeg.exe
C:\users\default\appdata\local\<INETFILES>\z1qxwcd gay nom72kl .avi.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\upfgetx wep6b08 hot (!) .rar.exe
C:\users\default\templates\ddqayq porn big balls .rar.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\viaz50 nude vjq39c1gwy qx2j1b5 .mpeg.exe
%TEMP%\mzwpstr8n horse sgu4m7oc boobs .mpeg.exe
%LOCALAPPDATA%\<INETFILES>\ddqayq sgu4m7oc 8bgkvshe1 .mpg.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\fac71w2 8ok6yf lpcu5ai3 epyxwn gh5b6gd7wrv (36mho73,36mho73).avi.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\s2fkave mzwpstr8n beast girls cock .mpeg.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\cum yzw1afy sgu4m7oc ae2sd7u4xh .avi.exe
%APPDATA%\microsoft\templates\asian yzw1afy bd1l5ir sgu4m7oc .rar.exe
%APPDATA%\microsoft\windows\templates\gzn4ud7e mnho9y54 girls legs (2hbt8wr).rar.exe
%APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\ikdyfwhy nude ihthd33 hole .rar.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\f1i7cm yzw1afy mzwpstr8n sgu4m7oc .rar.exe
%HOMEPATH%\templates\gzn4ud7e mnho9y54 uncut boobs boots (sonja).rar.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\8r3baiec tsomq34 big glans (liz,rdl1tfkz).mpg.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\8r3baiec beast mzwpstr8n [milf] boobs ejn547rbxhd1 (c4w8hqa,karin).rar.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\viaz50 cum sgu4m7oc titts girly .rar.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\f1i7cm bd1l5ir xxx bq4kno jxqgtp .rar.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\w6csjja14n1 8ok6yf uncut 8pfmdyy .mpeg.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\cum [milf] (cy4xpd).avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\z9z7rwe 8ok6yf sgu4m7oc 50+ .zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\4h1e2a346 yzw1afy epyxwn .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\z9z7rwe mnho9y54 bq4kno eigt45 .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\upfgetx xakmpl bq4kno qx2j1b5 (2hbt8wr,liz).zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\fac71w2 h93bklf ddqayq uncut girly .zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\gzn4ud7e 8ok6yf 7vepaqjm 8bgkvshe1 (jenna).avi.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\w6csjja14n1 uncut legs rv0y8n .rar.exe
%WINDIR%\assembly\temp\ddqayq nom72kl bq4kno gsva2xn .rar.exe
%WINDIR%\assembly\tmp\8ok6yf nom72kl [bangbus] .zip.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\zc8giv9 7nd83wovj vjq39c1gwy 40+ (dxocjwba,gina).rar.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\7b6fhxi gay wep6b08 [free] ash (c4w8hqa).mpg.exe
%WINDIR%\pla\templates\wpjwijv xxx xakmpl epyxwn .mpeg.exe
%WINDIR%\security\templates\tsomq34 porn [bangbus] zn3tvn (sonja,jenna).mpg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\f1i7cm xakmpl h93bklf ihthd33 .zip.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\cum mnho9y54 7vepaqjm .mpeg.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\lpcu5ai3 tsomq34 bq4kno js80j73 .avi.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\zc8giv9 nom72kl sperm vjq39c1gwy boobs .zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\eq7k2xcxt horse nude l9hwcs7vvnphd9 hole zn3tvn .mpeg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\4h1e2a346 sperm epyxwn .mpg.exe
%WINDIR%\syswow64\config\systemprofile\bd1l5ir nude bq4kno (karin,jade).avi.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\fac71w2 xakmpl big .avi.exe
%WINDIR%\syswow64\fxstmp\eq7k2xcxt horse xakmpl l9hwcs7vvnphd9 feet wifey .rar.exe
%WINDIR%\syswow64\ime\shared\wpjwijv bd1l5ir mnho9y54 [milf] 779mipj .mpeg.exe
%WINDIR%\syswow64\config\systemprofile\ikdyfwhy bd1l5ir bq4kno ol6p1tua .mpg.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\wep6b08 horse vjq39c1gwy boobs gsva2xn .mpg.exe
%WINDIR%\syswow64\fxstmp\f07qtt w6csjja14n1 8ok6yf vjq39c1gwy (sonja,sarah).zip.exe
%WINDIR%\syswow64\ime\shared\fac71w2 w6csjja14n1 tsomq34 nom72kl lzxyhb7k .avi.exe
%WINDIR%\temp\s2fkave w6csjja14n1 sgu4m7oc .rar.exe
%WINDIR%\winsxs\installtemp\8r3baiec horse tsomq34 sgu4m7oc ash .zip.exe
<Current directory>\sqjaed7r1vnw

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial