Trojan.KillProc2.25256

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%y1s2fctrp3
%CommonProgramFiles%\microsoft shared\8r3baiec hot (!) (cy4xpd).rar.exe
%ProgramFiles%\dvd maker\shared\z1qxwcd horse ihthd33 ash fishy (sarah,dehod0).rar.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\ikdyfwhy porn xxx apv53deiq9fw 8bgkvshe1 .mpg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\0287zh beast vjq39c1gwy cock ae2sd7u4xh .mpg.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\viaz50 ddqayq bq4kno young .mpeg.exe
%ProgramFiles%\microsoft office\templates\lpcu5ai3 xxx girls sweet .mpeg.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\horse cum apv53deiq9fw 40+ .mpg.exe
%ProgramFiles%\windows journal\templates\gay big fw58kpr41ob1w (sarah).avi.exe
%ProgramFiles%\windows sidebar\shared gadgets\z1qxwcd xxx 7vepaqjm rv0y8n .zip.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\yzw1afy 7vepaqjm .rar.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\4h1e2a346 ddqayq sgu4m7oc (36mho73).zip.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\xakmpl sgu4m7oc ash .mpeg.exe
%CommonProgramFiles(x86)%\microsoft shared\wpjwijv wep6b08 cum [bangbus] .rar.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\z1qxwcd bd1l5ir 7vepaqjm jxqgtp (sandy,sonja).avi.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\porn 7vepaqjm ae2sd7u4xh (sonja).mpg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\f07qtt gay sgu4m7oc legs eigt45 (gina).mpg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\8ok6yf mzwpstr8n apv53deiq9fw boots (jade,2hbt8wr).mpg.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\fac71w2 nom72kl bd1l5ir bq4kno .mpg.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\wpjwijv wep6b08 [bangbus] .mpeg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\viaz50 horse gay [free] sgoibhh .mpeg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\asian uncut .mpg.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\viaz50 yzw1afy tsomq34 l9hwcs7vvnphd9 legs lzxyhb7k .avi.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\mnho9y54 h93bklf big jxqgtp .mpeg.exe
%ALLUSERSPROFILE%\templates\s2fkave mzwpstr8n porn uncut kfp2yqq zn3tvn .mpeg.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\4h1e2a346 yzw1afy 7nd83wovj bq4kno ash rv0y8n .mpg.exe
C:\users\default\appdata\local\temp\zc8giv9 gay 7nd83wovj [milf] js80j73 .mpg.exe
C:\users\default\appdata\local\<INETFILES>\cum ihthd33 legs 6tl9zg0uqa .mpg.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\mzwpstr8n nom72kl girls wifey .zip.exe
C:\users\default\templates\upfgetx nude 8ok6yf l9hwcs7vvnphd9 boobs zn3tvn .mpg.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\eq7k2xcxt 8ok6yf [bangbus] ae2sd7u4xh .rar.exe
%TEMP%\4h1e2a346 ddqayq sgu4m7oc nrb42wq .mpg.exe
%LOCALAPPDATA%\<INETFILES>\wpjwijv h93bklf apv53deiq9fw sgoibhh .rar.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\porn gay hot (!) cock .mpeg.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\0287zh porn vjq39c1gwy .zip.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\ikdyfwhy tsomq34 uncut (y8oxsqa).mpg.exe
%APPDATA%\microsoft\templates\f1i7cm h93bklf apv53deiq9fw lzxyhb7k (g6u8n4r).mpg.exe
%APPDATA%\microsoft\windows\templates\f1i7cm wep6b08 girls ol6p1tua (c4w8hqa,liz).mpg.exe
%APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\h93bklf ihthd33 hotel .avi.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\fac71w2 gay sgu4m7oc latex (2hbt8wr).avi.exe
%HOMEPATH%\templates\f1i7cm horse 8ok6yf vjq39c1gwy balls .rar.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\zc8giv9 7vepaqjm ash ejn547rbxhd1 (sarah,c4w8hqa).avi.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\black mnho9y54 apv53deiq9fw .mpg.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\ddqayq nom72kl legs (dxocjwba).avi.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\7b6fhxi horse tsomq34 [bangbus] nmibe2 .zip.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\lpcu5ai3 cum [milf] hole 50+ (jenna,rdl1tfkz).rar.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\asian 7nd83wovj big shoes .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\s2fkave xakmpl nude vjq39c1gwy hole girly .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\tsomq34 bq4kno wifey (dehod0).mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\0287zh cum gay [free] .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\nude h93bklf 7vepaqjm ash .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\bd1l5ir nude 7vepaqjm latex .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\beast apv53deiq9fw latex .mpeg.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\4h1e2a346 porn [bangbus] legs 779mipj (rdl1tfkz,jade).avi.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\8ok6yf vjq39c1gwy .zip.exe
%WINDIR%\assembly\temp\beast [bangbus] jxqgtp boots .avi.exe
%WINDIR%\assembly\tmp\ bq4kno .mpeg.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\4h1e2a346 nude sperm l9hwcs7vvnphd9 rv0y8n .mpeg.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\black 7nd83wovj gay [free] legs 50+ (sonja).mpeg.exe
%WINDIR%\pla\templates\xakmpl apv53deiq9fw ash eigt45 .rar.exe
%WINDIR%\security\templates\tsomq34 lpcu5ai3 bq4kno (jenna).avi.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\fac71w2 7nd83wovj w6csjja14n1 hot (!) .rar.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\gzn4ud7e wep6b08 uncut 6tl9zg0uqa (y8oxsqa,jenna).zip.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\black sperm gay ihthd33 8pfmdyy .mpeg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\upfgetx mzwpstr8n epyxwn young .rar.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\jxaglwti bd1l5ir gay hot (!) fw58kpr41ob1w .mpg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\s2fkave gay gay [free] feet .rar.exe
%WINDIR%\syswow64\config\systemprofile\wpjwijv h93bklf horse [milf] boobs .mpeg.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\8r3baiec yzw1afy [milf] 8pfmdyy .zip.exe
%WINDIR%\syswow64\fxstmp\z9z7rwe xakmpl 7vepaqjm ash (dehod0).mpeg.exe
%WINDIR%\syswow64\ime\shared\wep6b08 gay big jxqgtp ejn547rbxhd1 .mpg.exe
%WINDIR%\syswow64\config\systemprofile\wpjwijv gay hot (!) qx2j1b5 .zip.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\ikdyfwhy tsomq34 horse big .zip.exe
%WINDIR%\syswow64\ime\shared\w6csjja14n1 8ok6yf big shoes .mpg.exe
%WINDIR%\temp\ikdyfwhy tsomq34 tsomq34 uncut 8pfmdyy .avi.exe

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial