Trojan.KillProc2.25580

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%y1s2fctrp3
%CommonProgramFiles%\microsoft shared\4h1e2a346 xakmpl vjq39c1gwy lzxyhb7k (karin).avi.exe
%ProgramFiles%\dvd maker\shared\z9z7rwe xakmpl horse [milf] sm .zip.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\wep6b08 7vepaqjm legs girly .rar.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\7nd83wovj bq4kno 8bgkvshe1 .rar.exe
%ProgramFiles%\microsoft office\templates\viaz50 7nd83wovj uncut jxqgtp sgoibhh .mpg.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\upfgetx 7nd83wovj tsomq34 apv53deiq9fw .mpg.exe
%ProgramFiles%\windows journal\templates\f07qtt porn 7nd83wovj l9hwcs7vvnphd9 legs girly .zip.exe
%ProgramFiles%\windows sidebar\shared gadgets\7b6fhxi 8ok6yf [milf] js80j73 .mpg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\wpjwijv sperm [milf] kfp2yqq .rar.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\w6csjja14n1 nude girls hole .mpg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\viaz50 horse xakmpl hot (!) ash wifey (sarah).zip.exe
%CommonProgramFiles(x86)%\microsoft shared\7nd83wovj epyxwn legs (liz,karin).mpeg.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\horse beast uncut legs ae2sd7u4xh .mpeg.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\fac71w2 mnho9y54 bd1l5ir epyxwn boobs fishy .mpg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\z9z7rwe beast uncut (karin).rar.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\bd1l5ir bd1l5ir vjq39c1gwy shoes (dxocjwba,rdl1tfkz).avi.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\upfgetx lpcu5ai3 vjq39c1gwy kfp2yqq (gina).zip.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\zc8giv9 porn horse [milf] jxqgtp ejn547rbxhd1 .mpeg.exe
%ALLUSERSPROFILE%\templates\f07qtt ddqayq big shoes (dehod0).rar.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\4h1e2a346 porn wep6b08 7vepaqjm ol6p1tua .avi.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\viaz50 beast vjq39c1gwy glans 8pfmdyy .mpg.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\porn uncut lzxyhb7k .avi.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\wep6b08 porn vjq39c1gwy js80j73 .zip.exe
%ALLUSERSPROFILE%\templates\wpjwijv 8ok6yf vjq39c1gwy .mpeg.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\fac71w2 horse l9hwcs7vvnphd9 legs ol6p1tua .rar.exe
C:\users\default\appdata\local\temp\7b6fhxi 7nd83wovj mnho9y54 uncut sm .zip.exe
C:\users\default\appdata\local\<INETFILES>\xxx xxx l9hwcs7vvnphd9 hotel .rar.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\4h1e2a346 nom72kl nude uncut .zip.exe
C:\users\default\templates\w6csjja14n1 l9hwcs7vvnphd9 .zip.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\w6csjja14n1 beast sgu4m7oc titts (2hbt8wr).rar.exe
%TEMP%\f1i7cm 7nd83wovj nude [bangbus] hairy .mpg.exe
%LOCALAPPDATA%\<INETFILES>\s2fkave horse epyxwn cock .avi.exe
%LOCALAPPDATA%low\mozilla\temp-{070abd97-84e1-4f5f-9c02-f1d76dd9fce4}\horse uncut hole young .mpg.exe
%LOCALAPPDATA%low\mozilla\temp-{1fae114c-c2b0-4da1-b23a-8e5ad0c3d722}\gzn4ud7e horse 8ok6yf [free] nrb42wq (sandy,y8oxsqa).avi.exe
%LOCALAPPDATA%low\mozilla\temp-{3571406e-c08c-4c74-b145-8857b365f6e7}\8r3baiec h93bklf lpcu5ai3 epyxwn nrb42wq (y8oxsqa).zip.exe
%APPDATA%\microsoft\templates\s2fkave h93bklf tsomq34 apv53deiq9fw 40+ (haj1oyikd).mpeg.exe
%APPDATA%\microsoft\windows\templates\8ok6yf bd1l5ir [milf] feet .mpg.exe
%APPDATA%\mozilla\firefox\profiles\v08trqk6.default-release\storage\temporary\z1qxwcd 8ok6yf apv53deiq9fw zmc8ujp (hyo87il).mpg.exe
%APPDATA%\thunderbird\profiles\chdgbv82.default-release\storage\temporary\ikdyfwhy lpcu5ai3 xxx nom72kl js80j73 .mpg.exe
%HOMEPATH%\templates\upfgetx gay xxx bq4kno .zip.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\cum nom72kl hot (!) (hyo87il).avi.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\z1qxwcd 7nd83wovj [free] (c4w8hqa,2hbt8wr).zip.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\mnho9y54 wep6b08 [free] mg9fvb2xk9 .zip.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\8r3baiec nom72kl girls boobs sweet .mpg.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\0287zh 8ok6yf horse uncut ash .mpeg.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\ddqayq hot (!) .mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\8r3baiec 8ok6yf yzw1afy apv53deiq9fw cock .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\gzn4ud7e porn sgu4m7oc (c4w8hqa,karin).rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\viaz50 tsomq34 porn nom72kl .zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\7b6fhxi tsomq34 l9hwcs7vvnphd9 .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\ikdyfwhy ddqayq ihthd33 young .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\h93bklf big shoes (dxocjwba,dxocjwba).avi.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\7nd83wovj [milf] kfp2yqq .zip.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\7b6fhxi mnho9y54 wep6b08 nom72kl jxqgtp 6tl9zg0uqa .mpeg.exe
%WINDIR%\assembly\temp\f07qtt beast [bangbus] .avi.exe
%WINDIR%\assembly\tmp\black bd1l5ir girls .rar.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\z9z7rwe tsomq34 ddqayq [milf] boots (rdl1tfkz,sonja).mpg.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\lpcu5ai3 cum [milf] sweet .mpg.exe
%WINDIR%\pla\templates\fac71w2 7nd83wovj bq4kno .avi.exe
%WINDIR%\security\templates\ 7nd83wovj uncut nrb42wq .mpeg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\bd1l5ir ihthd33 boobs mg9fvb2xk9 .mpg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\horse l9hwcs7vvnphd9 .mpg.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\black ddqayq uncut feet .zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\zc8giv9 horse ddqayq epyxwn kfp2yqq .avi.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\f07qtt yzw1afy beast hot (!) fw58kpr41ob1w .rar.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\lpcu5ai3 [bangbus] girly (y8oxsqa,hyo87il).mpeg.exe
%WINDIR%\syswow64\config\systemprofile\horse horse [milf] (cy4xpd).rar.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\z9z7rwe sperm xakmpl bq4kno lady .mpeg.exe
%WINDIR%\syswow64\fxstmp\wpjwijv 7nd83wovj w6csjja14n1 uncut (sandy).zip.exe
%WINDIR%\syswow64\ime\shared\f1i7cm bd1l5ir big .mpg.exe
%WINDIR%\syswow64\config\systemprofile\s2fkave lpcu5ai3 7vepaqjm .mpeg.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\4h1e2a346 7nd83wovj horse [bangbus] .rar.exe
%WINDIR%\syswow64\fxstmp\fac71w2 yzw1afy girls mg9fvb2xk9 (liz,jenna).mpg.exe
%WINDIR%\syswow64\ime\shared\wep6b08 apv53deiq9fw .mpeg.exe
%WINDIR%\temp\mzwpstr8n apv53deiq9fw gh5b6gd7wrv .zip.exe
%WINDIR%\winsxs\installtemp\black h93bklf vjq39c1gwy .zip.exe
<Current directory>\sqjaed7r1vnw

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial