Trojan.KillProc2.28658

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%y1s2fctrp3
%CommonProgramFiles%\microsoft shared\f07qtt cum tsomq34 bq4kno glans .mpeg.exe
%ProgramFiles%\dvd maker\shared\yzw1afy uncut glans ae2sd7u4xh .zip.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\s2fkave bd1l5ir yzw1afy [milf] titts fw58kpr41ob1w .mpeg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\mzwpstr8n [free] .rar.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\f07qtt cum mnho9y54 epyxwn hole .mpeg.exe
%ProgramFiles%\microsoft office\templates\upfgetx porn beast [free] .rar.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\gzn4ud7e w6csjja14n1 gay uncut .zip.exe
%ProgramFiles%\windows journal\templates\tsomq34 7vepaqjm cock (sandy,liz).mpg.exe
%ProgramFiles%\windows sidebar\shared gadgets\sperm [bangbus] glans ol6p1tua (sarah).mpeg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\fac71w2 wep6b08 gay epyxwn feet .avi.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\fac71w2 ddqayq mnho9y54 girls .avi.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\nom72kl sgu4m7oc titts .rar.exe
%CommonProgramFiles(x86)%\microsoft shared\f07qtt porn xxx ihthd33 .mpeg.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\porn yzw1afy l9hwcs7vvnphd9 girly .mpg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\black porn horse l9hwcs7vvnphd9 .zip.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\mzwpstr8n vjq39c1gwy (2hbt8wr).rar.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\s2fkave xakmpl yzw1afy [free] hotel (hyo87il,cy4xpd).avi.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\black w6csjja14n1 mnho9y54 ihthd33 .zip.exe
%ALLUSERSPROFILE%\templates\horse big (2hbt8wr).avi.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\gzn4ud7e w6csjja14n1 lpcu5ai3 epyxwn .zip.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\horse apv53deiq9fw glans nrb42wq .mpg.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\lpcu5ai3 7vepaqjm cock ol6p1tua .zip.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\8r3baiec 7nd83wovj xxx nom72kl hole (sandy,c4w8hqa).mpeg.exe
%ALLUSERSPROFILE%\templates\f1i7cm 8ok6yf yzw1afy l9hwcs7vvnphd9 hotel .rar.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\mzwpstr8n bq4kno feet js80j73 .rar.exe
C:\users\default\appdata\local\temp\fac71w2 horse beast uncut mg9fvb2xk9 (dehod0,y8oxsqa).rar.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\viaz50 nom72kl uncut (y8oxsqa).zip.exe
C:\users\default\templates\8r3baiec 8ok6yf nom72kl feet .rar.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\xxx [free] .zip.exe
%TEMP%\beast bq4kno cock .mpg.exe
%LOCALAPPDATA%\<INETFILES>\fac71w2 horse [free] titts .avi.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\ uncut balls .avi.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\sperm uncut glans .zip.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\beast uncut glans nmibe2 .rar.exe
%APPDATA%\microsoft\templates\s2fkave 7nd83wovj xxx l9hwcs7vvnphd9 hole sweet .rar.exe
%APPDATA%\microsoft\windows\templates\f07qtt horse mnho9y54 big 8bgkvshe1 .zip.exe
%APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\s2fkave h93bklf nom72kl l9hwcs7vvnphd9 (liz).avi.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\8r3baiec nude lpcu5ai3 hot (!) (cy4xpd).zip.exe
%HOMEPATH%\templates\eq7k2xcxt w6csjja14n1 mnho9y54 vjq39c1gwy cock .mpg.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\8r3baiec porn beast nom72kl cock balls (cy4xpd).zip.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\gzn4ud7e porn mnho9y54 bq4kno hole qq6w54yfhtqrbwcslg .mpeg.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\horse 7vepaqjm cock 6tl9zg0uqa (dxocjwba).rar.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\jxaglwti bq4kno titts balls .avi.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\yzw1afy 7vepaqjm titts wifey .mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\mnho9y54 sgu4m7oc 779mipj .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\beast big boots .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\horse [milf] glans .mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\black xakmpl mnho9y54 [free] .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\black bd1l5ir yzw1afy l9hwcs7vvnphd9 cock 50+ (sarah).rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\8r3baiec 7nd83wovj ihthd33 cock .mpeg.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\black nude beast l9hwcs7vvnphd9 shoes .zip.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\yzw1afy nom72kl lzxyhb7k .mpeg.exe
%WINDIR%\assembly\temp\gzn4ud7e porn yzw1afy ihthd33 titts .mpeg.exe
%WINDIR%\assembly\tmp\ hot (!) titts .rar.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\eq7k2xcxt w6csjja14n1 mzwpstr8n ihthd33 .avi.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\black h93bklf tsomq34 big ae2sd7u4xh (sandy,liz).zip.exe
%WINDIR%\pla\templates\z9z7rwe xakmpl lpcu5ai3 girls cock .mpeg.exe
%WINDIR%\security\templates\8r3baiec porn xxx [bangbus] feet hotel .mpeg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\fac71w2 cum lpcu5ai3 [milf] sm .mpg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\fac71w2 bd1l5ir tsomq34 [milf] (jade).rar.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\gay uncut feet .mpeg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\black ddqayq sperm uncut .mpeg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\fac71w2 h93bklf mzwpstr8n l9hwcs7vvnphd9 .mpeg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\f07qtt w6csjja14n1 gay girls feet nmibe2 .zip.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\nude yzw1afy apv53deiq9fw .mpeg.exe
%WINDIR%\syswow64\fxstmp\f07qtt wep6b08 sperm hot (!) (karin).zip.exe
%WINDIR%\syswow64\ime\shared\eq7k2xcxt horse tsomq34 [free] shoes .zip.exe
%WINDIR%\syswow64\config\systemprofile\fac71w2 porn mzwpstr8n uncut cock .rar.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\f1i7cm cum girls b37oavmx289 .rar.exe
%WINDIR%\syswow64\fxstmp\eq7k2xcxt porn lpcu5ai3 7vepaqjm lady .zip.exe
%WINDIR%\syswow64\ime\shared\black ddqayq mzwpstr8n uncut 8pfmdyy .zip.exe
%WINDIR%\temp\black ddqayq lpcu5ai3 nom72kl glans (haj1oyikd,karin).mpeg.exe

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial