Trojan.KillProc2.25553

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%y1s2fctrp3
%CommonProgramFiles%\microsoft shared\mnho9y54 w6csjja14n1 l9hwcs7vvnphd9 zmc8ujp .mpg.exe
%ProgramFiles%\dvd maker\shared\lpcu5ai3 bq4kno titts .zip.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\z1qxwcd hot (!) (liz,sonja).avi.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\z1qxwcd bd1l5ir gay vjq39c1gwy cock .avi.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\f07qtt xxx [free] jxqgtp sweet (rdl1tfkz,sandy).avi.exe
%ProgramFiles%\microsoft office\templates\lpcu5ai3 ihthd33 kfp2yqq latex .avi.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\8ok6yf ihthd33 .rar.exe
%ProgramFiles%\windows journal\templates\ikdyfwhy sperm epyxwn 50+ .zip.exe
%ProgramFiles%\windows sidebar\shared gadgets\f07qtt lpcu5ai3 l9hwcs7vvnphd9 fishy (36mho73).mpg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\f07qtt sperm big jxqgtp qx2j1b5 .avi.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\0287zh xxx yzw1afy girls .rar.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\7nd83wovj hot (!) boots .avi.exe
%CommonProgramFiles(x86)%\microsoft shared\zc8giv9 wep6b08 cum hot (!) feet .mpg.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\s2fkave wep6b08 l9hwcs7vvnphd9 fw58kpr41ob1w .mpeg.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\f1i7cm cum sgu4m7oc .mpeg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\horse wep6b08 uncut titts (karin).mpeg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\eq7k2xcxt yzw1afy nom72kl girly .mpeg.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\7nd83wovj big cock .mpg.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\ikdyfwhy bd1l5ir cum 7vepaqjm 6tl9zg0uqa .rar.exe
%ALLUSERSPROFILE%\templates\f07qtt lpcu5ai3 vjq39c1gwy ash .zip.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\z1qxwcd mzwpstr8n [bangbus] ol6p1tua .mpg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\yzw1afy [milf] cock wifey (jenna).avi.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\h93bklf hot (!) .rar.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\eq7k2xcxt horse big .rar.exe
%ALLUSERSPROFILE%\templates\wpjwijv lpcu5ai3 wep6b08 uncut .rar.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\fac71w2 nude girls balls .avi.exe
C:\users\default\appdata\local\temp\asian porn epyxwn (g6u8n4r,sarah).mpg.exe
C:\users\default\appdata\local\<INETFILES>\7b6fhxi nude beast sgu4m7oc .zip.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\black nude wep6b08 epyxwn .avi.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\zc8giv9 uncut fw58kpr41ob1w .mpeg.exe
%TEMP%\gzn4ud7e wep6b08 lpcu5ai3 [milf] boots .avi.exe
%LOCALAPPDATA%\<INETFILES>\mnho9y54 nom72kl [bangbus] .mpeg.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\h93bklf ddqayq big boobs .mpg.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\f1i7cm tsomq34 vjq39c1gwy shoes (jenna,36mho73).rar.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\f1i7cm mnho9y54 yzw1afy sgu4m7oc 779mipj (liz).zip.exe
%APPDATA%\microsoft\templates\beast horse bq4kno .mpg.exe
%APPDATA%\microsoft\windows\templates\yzw1afy vjq39c1gwy boobs .zip.exe
%APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\ddqayq epyxwn fw58kpr41ob1w .mpeg.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\f07qtt ddqayq yzw1afy vjq39c1gwy .zip.exe
%HOMEPATH%\templates\cum apv53deiq9fw .avi.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\asian wep6b08 horse epyxwn kfp2yqq .avi.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\f1i7cm tsomq34 7vepaqjm hairy .zip.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\7nd83wovj uncut 8pfmdyy .rar.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\s2fkave porn ihthd33 legs .avi.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\wpjwijv beast apv53deiq9fw (cy4xpd,dxocjwba).avi.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\jxaglwti wep6b08 ddqayq sgu4m7oc jxqgtp lzxyhb7k .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\asian ddqayq uncut gsva2xn .mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\8ok6yf [bangbus] shoes .zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\xakmpl uncut .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\w6csjja14n1 uncut lzxyhb7k (liz,gina).rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\8ok6yf yzw1afy sgu4m7oc .mpg.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\zc8giv9 gay lpcu5ai3 7vepaqjm hotel .mpeg.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\s2fkave w6csjja14n1 mnho9y54 apv53deiq9fw .mpg.exe
%WINDIR%\assembly\temp\porn horse [milf] legs girly .mpeg.exe
%WINDIR%\assembly\tmp\gzn4ud7e h93bklf ddqayq hot (!) kfp2yqq rv0y8n .mpg.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\asian w6csjja14n1 big .avi.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\xakmpl sperm apv53deiq9fw (y8oxsqa,sandy).mpg.exe
%WINDIR%\pla\templates\fac71w2 nom72kl horse ihthd33 .mpg.exe
%WINDIR%\security\templates\fac71w2 porn uncut (dxocjwba,hyo87il).rar.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\gzn4ud7e gay 7vepaqjm jxqgtp lzxyhb7k (sonja).mpg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\z1qxwcd sperm nom72kl b37oavmx289 (2hbt8wr,dxocjwba).rar.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\wpjwijv nom72kl nom72kl legs (g6u8n4r,sonja).zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\fac71w2 nude apv53deiq9fw .zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\upfgetx cum [bangbus] hole hotel .rar.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\ikdyfwhy mnho9y54 tsomq34 vjq39c1gwy .rar.exe
%WINDIR%\syswow64\config\systemprofile\wpjwijv porn xxx uncut zmc8ujp .zip.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\upfgetx gay nude ihthd33 (dehod0).mpeg.exe
%WINDIR%\syswow64\fxstmp\bd1l5ir mnho9y54 sgu4m7oc boobs ae2sd7u4xh .mpg.exe
%WINDIR%\syswow64\ime\shared\ddqayq bq4kno boots .avi.exe
%WINDIR%\syswow64\config\systemprofile\nude uncut feet ejn547rbxhd1 .avi.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\gzn4ud7e nom72kl ash (sonja,karin).mpg.exe
%WINDIR%\syswow64\fxstmp\mzwpstr8n w6csjja14n1 uncut kfp2yqq 8bgkvshe1 (haj1oyikd).rar.exe
%WINDIR%\syswow64\ime\shared\8r3baiec nude 8ok6yf hot (!) girly .zip.exe
%WINDIR%\temp\ikdyfwhy wep6b08 tsomq34 [bangbus] 8bgkvshe1 .rar.exe
%WINDIR%\winsxs\installtemp\ girls kfp2yqq girly .avi.exe
<Current directory>\sqjaed7r1vnw

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial