Trojan.KillProc2.30141

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%y1s2fctrp3
%CommonProgramFiles%\microsoft shared\h93bklf sgu4m7oc gsva2xn (haj1oyikd).zip.exe
%ProgramFiles%\dvd maker\shared\nom72kl nom72kl ihthd33 .zip.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\zc8giv9 nom72kl nom72kl cock gsva2xn .mpeg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\7b6fhxi w6csjja14n1 [free] ejn547rbxhd1 .mpg.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\ddqayq porn hot (!) 8pfmdyy .avi.exe
%ProgramFiles%\microsoft office\templates\4h1e2a346 bd1l5ir sperm uncut boobs ol6p1tua .rar.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\zc8giv9 w6csjja14n1 wep6b08 [free] .zip.exe
%ProgramFiles%\windows journal\templates\f1i7cm yzw1afy epyxwn lady .zip.exe
%ProgramFiles%\windows sidebar\shared gadgets\8r3baiec 7nd83wovj nom72kl 8pfmdyy .rar.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\gzn4ud7e w6csjja14n1 [milf] jxqgtp .zip.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\asian 7nd83wovj cum ihthd33 (sandy).zip.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\ikdyfwhy horse sgu4m7oc b37oavmx289 .zip.exe
%CommonProgramFiles(x86)%\microsoft shared\zc8giv9 yzw1afy porn uncut titts (gina,jenna).mpg.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\gzn4ud7e bd1l5ir [bangbus] 50+ .rar.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\beast horse l9hwcs7vvnphd9 .mpg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\zc8giv9 tsomq34 bd1l5ir uncut glans nrb42wq .rar.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\h93bklf gay hot (!) (sonja,hyo87il).avi.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\4h1e2a346 yzw1afy l9hwcs7vvnphd9 shoes .rar.exe
%ALLUSERSPROFILE%\templates\ikdyfwhy h93bklf mzwpstr8n big lzxyhb7k (sonja,y8oxsqa).rar.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\f1i7cm h93bklf lpcu5ai3 7vepaqjm 8pfmdyy .avi.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\viaz50 gay uncut (y8oxsqa).avi.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\horse epyxwn (jenna).rar.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\ikdyfwhy bd1l5ir uncut feet sweet (g6u8n4r).zip.exe
%ALLUSERSPROFILE%\templates\mzwpstr8n big rv0y8n .rar.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\viaz50 mnho9y54 nom72kl sgu4m7oc kfp2yqq 779mipj .zip.exe
C:\users\default\appdata\local\temp\ikdyfwhy sperm gay apv53deiq9fw cock rv0y8n .avi.exe
C:\users\default\appdata\local\<INETFILES>\4h1e2a346 gay ihthd33 .avi.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\zc8giv9 7nd83wovj nom72kl fishy (rdl1tfkz).avi.exe
C:\users\default\templates\yzw1afy sperm apv53deiq9fw .avi.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\f1i7cm nom72kl w6csjja14n1 7vepaqjm feet 8bgkvshe1 .rar.exe
%TEMP%\wpjwijv bd1l5ir [milf] fw58kpr41ob1w (y8oxsqa).mpeg.exe
%LOCALAPPDATA%\<INETFILES>\s2fkave gay vjq39c1gwy .mpeg.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\asian ddqayq horse apv53deiq9fw ae2sd7u4xh (hyo87il,sandy).avi.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\w6csjja14n1 l9hwcs7vvnphd9 .zip.exe
%APPDATA%\microsoft\templates\horse xxx vjq39c1gwy 6tl9zg0uqa (karin,y8oxsqa).mpeg.exe
%APPDATA%\microsoft\windows\templates\8r3baiec 7vepaqjm feet ejn547rbxhd1 (rdl1tfkz,karin).mpg.exe
%APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\porn bd1l5ir [milf] zmc8ujp (c4w8hqa).mpg.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\f07qtt nom72kl hot (!) feet sm .avi.exe
%HOMEPATH%\templates\ikdyfwhy [free] kfp2yqq (jenna).avi.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\eq7k2xcxt mnho9y54 girls sm .mpeg.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\ddqayq vjq39c1gwy (liz).mpeg.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\s2fkave nom72kl big (sonja,sonja).zip.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\gay nom72kl ash .rar.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\ cum [milf] 6tl9zg0uqa .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\f1i7cm horse [milf] .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\ikdyfwhy nude [milf] zn3tvn .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\8r3baiec h93bklf mzwpstr8n epyxwn mg9fvb2xk9 (cy4xpd).rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\viaz50 horse ihthd33 kfp2yqq (36mho73).mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\xxx l9hwcs7vvnphd9 ol6p1tua (y8oxsqa,y8oxsqa).mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\upfgetx wep6b08 beast epyxwn qx2j1b5 .rar.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\7b6fhxi nude sgu4m7oc kfp2yqq .zip.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\f1i7cm wep6b08 ihthd33 (c4w8hqa).mpeg.exe
%WINDIR%\assembly\temp\gay beast nom72kl jxqgtp sweet .zip.exe
%WINDIR%\assembly\tmp\horse tsomq34 [milf] ejn547rbxhd1 (2hbt8wr).avi.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\horse hot (!) kfp2yqq lzxyhb7k .avi.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\zc8giv9 horse girls hairy .zip.exe
%WINDIR%\pla\templates\4h1e2a346 sperm xakmpl apv53deiq9fw fishy .zip.exe
%WINDIR%\security\templates\xxx yzw1afy sgu4m7oc .avi.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\8r3baiec beast l9hwcs7vvnphd9 mg9fvb2xk9 .mpg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\xakmpl yzw1afy uncut boobs (jade,dehod0).avi.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\black lpcu5ai3 nom72kl zmc8ujp .avi.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\w6csjja14n1 7vepaqjm feet .zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\fac71w2 tsomq34 [free] glans wifey .zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\ ihthd33 boobs ash (36mho73).mpg.exe
%WINDIR%\syswow64\config\systemprofile\8r3baiec xxx mzwpstr8n apv53deiq9fw rv0y8n (haj1oyikd).zip.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\xxx xxx hot (!) boots (g6u8n4r).mpeg.exe
%WINDIR%\syswow64\fxstmp\z9z7rwe lpcu5ai3 [milf] 8pfmdyy .rar.exe
%WINDIR%\syswow64\ime\shared\f07qtt ddqayq nom72kl uncut mg9fvb2xk9 .avi.exe
%WINDIR%\syswow64\config\systemprofile\ikdyfwhy lpcu5ai3 tsomq34 big boots .zip.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\7b6fhxi 8ok6yf sgu4m7oc latex .rar.exe
%WINDIR%\syswow64\fxstmp\upfgetx h93bklf nom72kl lady (dxocjwba,liz).zip.exe
%WINDIR%\syswow64\ime\shared\bd1l5ir porn girls .mpeg.exe
%WINDIR%\temp\ddqayq lpcu5ai3 bq4kno 40+ .zip.exe

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial