Trojan.KillProc2.29708

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%y1s2fctrp3
%CommonProgramFiles%\microsoft shared\mnho9y54 nom72kl nrb42wq .mpg.exe
%ProgramFiles%\dvd maker\shared\upfgetx w6csjja14n1 mnho9y54 l9hwcs7vvnphd9 nmibe2 .rar.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\gzn4ud7e nude horse [bangbus] .rar.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\f07qtt ddqayq beast ihthd33 titts balls .mpeg.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\ [milf] cock gh5b6gd7wrv (c4w8hqa).rar.exe
%ProgramFiles%\microsoft office\templates\eq7k2xcxt 8ok6yf beast ihthd33 glans .mpg.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\gay hot (!) feet sgoibhh (2hbt8wr).rar.exe
%ProgramFiles%\windows journal\templates\black 7nd83wovj nom72kl 7vepaqjm feet .mpeg.exe
%ProgramFiles%\windows sidebar\shared gadgets\z9z7rwe horse mzwpstr8n [milf] (y8oxsqa).avi.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\sperm uncut 40+ (sandy,cy4xpd).avi.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\z9z7rwe xakmpl horse nom72kl cock .rar.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\nom72kl big young (jenna,c4w8hqa).rar.exe
%CommonProgramFiles(x86)%\microsoft shared\f1i7cm wep6b08 xxx uncut titts .avi.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\z9z7rwe w6csjja14n1 yzw1afy vjq39c1gwy glans fw58kpr41ob1w (g6u8n4r).avi.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\upfgetx 7nd83wovj beast apv53deiq9fw hole sm (g6u8n4r).zip.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\sperm ihthd33 hole .mpeg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\sperm uncut hairy .avi.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\f07qtt wep6b08 beast bq4kno rv0y8n .zip.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\f07qtt wep6b08 yzw1afy big young .mpeg.exe
%ALLUSERSPROFILE%\templates\black 7nd83wovj ihthd33 .mpeg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\gay sgu4m7oc cock hotel .mpeg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\f07qtt wep6b08 beast sgu4m7oc ol6p1tua .rar.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\gzn4ud7e xakmpl tsomq34 uncut cock zn3tvn .zip.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\gzn4ud7e bd1l5ir horse [free] 40+ (sonja,2hbt8wr).rar.exe
%ALLUSERSPROFILE%\templates\eq7k2xcxt wep6b08 xxx [bangbus] glans zn3tvn (cy4xpd).mpg.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\fac71w2 w6csjja14n1 xxx 7vepaqjm zmc8ujp .avi.exe
C:\users\default\appdata\local\temp\8r3baiec bd1l5ir gay 7vepaqjm sgoibhh .mpg.exe
C:\users\default\appdata\local\<INETFILES>\mzwpstr8n apv53deiq9fw glans .zip.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\nom72kl hot (!) feet hairy (g6u8n4r).mpg.exe
C:\users\default\templates\eq7k2xcxt h93bklf lpcu5ai3 uncut hole .rar.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\f1i7cm 8ok6yf beast sgu4m7oc (cy4xpd).mpeg.exe
%TEMP%\black w6csjja14n1 gay sgu4m7oc cock (jenna,y8oxsqa).mpeg.exe
%LOCALAPPDATA%\<INETFILES>\eq7k2xcxt xakmpl nom72kl [milf] cock 8pfmdyy (liz).rar.exe
%LOCALAPPDATA%low\mozilla\temp-{070abd97-84e1-4f5f-9c02-f1d76dd9fce4}\eq7k2xcxt bd1l5ir mnho9y54 epyxwn .zip.exe
%LOCALAPPDATA%low\mozilla\temp-{1fae114c-c2b0-4da1-b23a-8e5ad0c3d722}\f1i7cm bd1l5ir horse [bangbus] cock sgoibhh .zip.exe
%LOCALAPPDATA%low\mozilla\temp-{3571406e-c08c-4c74-b145-8857b365f6e7}\8r3baiec horse sperm 7vepaqjm js80j73 .zip.exe
%APPDATA%\microsoft\templates\upfgetx w6csjja14n1 xxx hot (!) young (sonja,sarah).rar.exe
%APPDATA%\microsoft\windows\templates\eq7k2xcxt nude yzw1afy vjq39c1gwy (dxocjwba).mpeg.exe
%APPDATA%\mozilla\firefox\profiles\v08trqk6.default-release\storage\temporary\fac71w2 h93bklf mnho9y54 sgu4m7oc young .zip.exe
%APPDATA%\thunderbird\profiles\chdgbv82.default-release\storage\temporary\tsomq34 bq4kno rv0y8n .zip.exe
%HOMEPATH%\templates\f07qtt horse xxx apv53deiq9fw titts hotel .mpeg.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\f07qtt horse yzw1afy [free] feet girly .zip.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\mzwpstr8n uncut (liz).zip.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\fac71w2 h93bklf sperm bq4kno .avi.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\f1i7cm horse xxx [free] lzxyhb7k .avi.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\ vjq39c1gwy .mpeg.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\gay [bangbus] young .mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\gzn4ud7e xakmpl mnho9y54 ihthd33 titts mg9fvb2xk9 .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\upfgetx nude lpcu5ai3 [bangbus] titts zmc8ujp .rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\upfgetx nude gay girls balls (36mho73,sarah).mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\upfgetx h93bklf nom72kl bq4kno (g6u8n4r).avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\eq7k2xcxt horse lpcu5ai3 7vepaqjm .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\horse ihthd33 b37oavmx289 .mpg.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\horse vjq39c1gwy latex .mpg.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\tsomq34 epyxwn hole 8bgkvshe1 .rar.exe
%WINDIR%\assembly\temp\eq7k2xcxt cum horse hot (!) feet qq6w54yfhtqrbwcslg (g6u8n4r).rar.exe
%WINDIR%\assembly\tmp\nom72kl 7vepaqjm .mpeg.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\tsomq34 [free] boots .mpg.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\lpcu5ai3 l9hwcs7vvnphd9 titts sm (jade).rar.exe
%WINDIR%\pla\templates\ l9hwcs7vvnphd9 glans .zip.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\viaz50 beast uncut balls .zip.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\xxx [bangbus] gsva2xn .mpeg.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\f07qtt nude yzw1afy uncut hairy .avi.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\z9z7rwe bd1l5ir [milf] feet b37oavmx289 .mpg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\8r3baiec wep6b08 [free] b37oavmx289 .avi.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\xxx 7vepaqjm titts ae2sd7u4xh .zip.exe
%WINDIR%\syswow64\config\systemprofile\eq7k2xcxt bd1l5ir horse 7vepaqjm 8pfmdyy .zip.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\sperm [free] .mpg.exe
%WINDIR%\syswow64\fxstmp\lpcu5ai3 big (g6u8n4r).zip.exe
%WINDIR%\syswow64\ime\shared\mnho9y54 uncut feet gsva2xn .avi.exe
%WINDIR%\syswow64\config\systemprofile\black xakmpl lpcu5ai3 big feet nrb42wq (dxocjwba).mpg.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\eq7k2xcxt w6csjja14n1 sperm nom72kl (y8oxsqa).mpg.exe
%WINDIR%\syswow64\fxstmp\f1i7cm bd1l5ir gay l9hwcs7vvnphd9 hole boots .rar.exe
%WINDIR%\syswow64\ime\shared\mnho9y54 sgu4m7oc .zip.exe
%WINDIR%\temp\z9z7rwe cum horse big 50+ .mpg.exe
%WINDIR%\winsxs\installtemp\lpcu5ai3 uncut zn3tvn (dehod0,sarah).avi.exe
<Current directory>\sqjaed7r1vnw

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial