Trojan.KillProc2.30102

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%y1s2fctrp3
%CommonProgramFiles%\microsoft shared\4h1e2a346 horse hot (!) ejn547rbxhd1 .zip.exe
%ProgramFiles%\dvd maker\shared\0287zh tsomq34 7vepaqjm .mpg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\eq7k2xcxt h93bklf 7vepaqjm sgoibhh .avi.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\sperm epyxwn zmc8ujp (c4w8hqa,y8oxsqa).mpg.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\wpjwijv ddqayq sgu4m7oc gsva2xn .rar.exe
%ProgramFiles%\microsoft office\templates\gzn4ud7e yzw1afy vjq39c1gwy sm (rdl1tfkz,y8oxsqa).zip.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\f1i7cm uncut qx2j1b5 .avi.exe
%ProgramFiles%\windows journal\templates\4h1e2a346 nom72kl l9hwcs7vvnphd9 6tl9zg0uqa .mpg.exe
%ProgramFiles%\windows sidebar\shared gadgets\upfgetx nom72kl bd1l5ir sgu4m7oc ae2sd7u4xh .mpeg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\bd1l5ir nom72kl feet (g6u8n4r).mpg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\8r3baiec porn vjq39c1gwy hotel .avi.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\4h1e2a346 bq4kno glans qx2j1b5 (hyo87il,sandy).mpg.exe
%CommonProgramFiles(x86)%\microsoft shared\viaz50 porn epyxwn feet hotel .avi.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\z9z7rwe porn uncut 50+ (2hbt8wr,sonja).mpeg.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\viaz50 nude hot (!) balls .mpg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\ikdyfwhy gay gay l9hwcs7vvnphd9 glans gh5b6gd7wrv .zip.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\xxx bq4kno eigt45 .rar.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\gay big .mpg.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\fac71w2 nom72kl mzwpstr8n apv53deiq9fw wifey .rar.exe
%ALLUSERSPROFILE%\templates\f1i7cm xxx gay apv53deiq9fw 40+ (g6u8n4r).avi.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\4h1e2a346 beast ihthd33 glans 6tl9zg0uqa .mpg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\lpcu5ai3 mnho9y54 sgu4m7oc nmibe2 .mpg.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\tsomq34 h93bklf vjq39c1gwy sm (rdl1tfkz).rar.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\f1i7cm wep6b08 epyxwn kfp2yqq ejn547rbxhd1 .rar.exe
%ALLUSERSPROFILE%\templates\black wep6b08 beast 7vepaqjm cock wifey .mpg.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\asian ddqayq beast 7vepaqjm 8pfmdyy .zip.exe
C:\users\default\appdata\local\temp\viaz50 7nd83wovj nom72kl uncut ash fw58kpr41ob1w (jade).zip.exe
C:\users\default\appdata\local\<INETFILES>\ddqayq hot (!) sm .mpg.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\beast [milf] wifey (dehod0).mpg.exe
C:\users\default\templates\bd1l5ir porn vjq39c1gwy .rar.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\xxx l9hwcs7vvnphd9 .avi.exe
%TEMP%\f07qtt cum gay big kfp2yqq 40+ .mpeg.exe
%LOCALAPPDATA%\<INETFILES>\asian bd1l5ir bq4kno (dehod0,gina).mpg.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\4h1e2a346 porn [free] .avi.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\viaz50 yzw1afy [milf] (sonja).avi.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\viaz50 w6csjja14n1 h93bklf epyxwn ash lady .mpg.exe
%APPDATA%\microsoft\templates\sperm ddqayq ihthd33 (hyo87il).rar.exe
%APPDATA%\microsoft\windows\templates\z1qxwcd h93bklf gay l9hwcs7vvnphd9 .avi.exe
%APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\7b6fhxi nom72kl yzw1afy uncut .mpg.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\porn mnho9y54 nom72kl ash .avi.exe
%HOMEPATH%\templates\jxaglwti gay lpcu5ai3 [bangbus] js80j73 .avi.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\gzn4ud7e 8ok6yf sgu4m7oc glans .avi.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\ikdyfwhy 7nd83wovj l9hwcs7vvnphd9 js80j73 (hyo87il,jenna).mpg.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\tsomq34 sgu4m7oc (dehod0).zip.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\7b6fhxi horse vjq39c1gwy .zip.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\ddqayq [milf] 8pfmdyy .mpg.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\gay xakmpl 7vepaqjm b37oavmx289 (dxocjwba).mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\ikdyfwhy nude l9hwcs7vvnphd9 779mipj .mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\0287zh horse sgu4m7oc balls (y8oxsqa,karin).rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\wpjwijv 7nd83wovj ihthd33 feet rv0y8n .rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\black w6csjja14n1 beast big cock (dehod0).zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\ sgu4m7oc legs .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\yzw1afy l9hwcs7vvnphd9 .zip.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\gzn4ud7e beast mzwpstr8n girls 6tl9zg0uqa .avi.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\z9z7rwe yzw1afy [milf] ash (hyo87il).avi.exe
%WINDIR%\assembly\temp\gzn4ud7e nude ihthd33 ash ae2sd7u4xh .mpeg.exe
%WINDIR%\assembly\tmp\horse sgu4m7oc feet .avi.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\z1qxwcd porn l9hwcs7vvnphd9 sm .rar.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\8ok6yf xakmpl apv53deiq9fw nmibe2 (sonja).avi.exe
%WINDIR%\pla\templates\7b6fhxi mnho9y54 hot (!) glans .zip.exe
%WINDIR%\security\templates\wpjwijv nom72kl horse hot (!) boobs 8pfmdyy .rar.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\ikdyfwhy nude nude [bangbus] ol6p1tua .mpeg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\0287zh porn lpcu5ai3 sgu4m7oc titts .rar.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\fac71w2 tsomq34 lpcu5ai3 nom72kl boobs ol6p1tua (36mho73,c4w8hqa).rar.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\fac71w2 bd1l5ir horse [milf] glans .zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\jxaglwti horse gay vjq39c1gwy mg9fvb2xk9 (sonja).mpg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\jxaglwti mzwpstr8n xxx [milf] ash .avi.exe
%WINDIR%\syswow64\config\systemprofile\mnho9y54 epyxwn (hyo87il,y8oxsqa).zip.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\0287zh mzwpstr8n [free] qx2j1b5 .avi.exe
%WINDIR%\syswow64\fxstmp\sperm [bangbus] .mpeg.exe
%WINDIR%\syswow64\ime\shared\fac71w2 yzw1afy tsomq34 hot (!) .mpeg.exe
%WINDIR%\syswow64\config\systemprofile\viaz50 8ok6yf epyxwn (gina,y8oxsqa).mpeg.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\xxx sperm [bangbus] qx2j1b5 (g6u8n4r,c4w8hqa).rar.exe
%WINDIR%\syswow64\fxstmp\h93bklf mzwpstr8n nom72kl sweet .avi.exe
%WINDIR%\syswow64\ime\shared\tsomq34 7nd83wovj [bangbus] 40+ (sarah).rar.exe
%WINDIR%\temp\f07qtt xxx xakmpl girls nrb42wq .mpg.exe

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial