Trojan.KillProc2.28328

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%y1s2fctrp3
%CommonProgramFiles%\microsoft shared\zc8giv9 bd1l5ir yzw1afy l9hwcs7vvnphd9 gsva2xn (rdl1tfkz,sandy).mpeg.exe
%ProgramFiles%\dvd maker\shared\8r3baiec horse ihthd33 qx2j1b5 .mpeg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\nom72kl [milf] kfp2yqq mg9fvb2xk9 .zip.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\xxx apv53deiq9fw kfp2yqq .mpg.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\viaz50 nom72kl h93bklf ihthd33 .avi.exe
%ProgramFiles%\microsoft office\templates\wpjwijv mzwpstr8n sgu4m7oc hole (sonja,g6u8n4r).mpeg.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\asian mnho9y54 wep6b08 uncut .zip.exe
%ProgramFiles%\windows journal\templates\horse sperm l9hwcs7vvnphd9 qq6w54yfhtqrbwcslg (gina).zip.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\black sperm 7vepaqjm .rar.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\asian w6csjja14n1 bq4kno ash 779mipj .mpeg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\f1i7cm mnho9y54 beast vjq39c1gwy titts js80j73 .avi.exe
%CommonProgramFiles(x86)%\microsoft shared\viaz50 ddqayq nom72kl .rar.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\gay w6csjja14n1 7vepaqjm gsva2xn .rar.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\asian 8ok6yf bd1l5ir uncut wifey .mpg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\viaz50 horse ihthd33 rv0y8n (g6u8n4r,y8oxsqa).avi.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\ddqayq bd1l5ir uncut (dxocjwba).avi.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\black gay l9hwcs7vvnphd9 zn3tvn .mpeg.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\viaz50 bq4kno qq6w54yfhtqrbwcslg (karin,dxocjwba).mpg.exe
%ALLUSERSPROFILE%\templates\zc8giv9 ddqayq [milf] girly .mpeg.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\xakmpl tsomq34 uncut lady .avi.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\4h1e2a346 mnho9y54 bq4kno glans hotel .rar.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\wpjwijv xxx ihthd33 ash ejn547rbxhd1 (sandy).avi.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\asian bd1l5ir nom72kl l9hwcs7vvnphd9 titts .mpg.exe
%ALLUSERSPROFILE%\templates\jxaglwti gay l9hwcs7vvnphd9 js80j73 (rdl1tfkz,rdl1tfkz).mpg.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\gay ihthd33 .zip.exe
C:\users\default\appdata\local\temp\horse l9hwcs7vvnphd9 .avi.exe
C:\users\default\appdata\local\<INETFILES>\f1i7cm w6csjja14n1 ihthd33 .mpeg.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\z1qxwcd ddqayq bq4kno cock boots .mpg.exe
C:\users\default\templates\h93bklf sgu4m7oc .avi.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\xakmpl 7vepaqjm hole (sonja,jade).mpeg.exe
%TEMP%\zc8giv9 beast porn uncut boobs .rar.exe
%LOCALAPPDATA%\<INETFILES>\8ok6yf porn uncut gsva2xn (dxocjwba,dxocjwba).mpg.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\nom72kl 8ok6yf [bangbus] kfp2yqq .mpg.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\gay ihthd33 .zip.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\gzn4ud7e wep6b08 mzwpstr8n 7vepaqjm .rar.exe
%APPDATA%\microsoft\templates\wep6b08 [free] 779mipj .zip.exe
%APPDATA%\microsoft\windows\templates\7b6fhxi gay 7vepaqjm js80j73 .zip.exe
%APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\z9z7rwe mnho9y54 big gsva2xn (jade,sonja).rar.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\black mnho9y54 [bangbus] boobs .mpeg.exe
%HOMEPATH%\templates\8r3baiec beast yzw1afy bq4kno kfp2yqq eigt45 .avi.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\porn epyxwn hotel .rar.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\ddqayq sgu4m7oc (36mho73,g6u8n4r).mpeg.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\wep6b08 [bangbus] legs girly .rar.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\viaz50 cum apv53deiq9fw cock (rdl1tfkz).avi.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\wpjwijv lpcu5ai3 nom72kl .mpeg.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\4h1e2a346 8ok6yf uncut .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zc8giv9 tsomq34 bq4kno cock 50+ .zip.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\w6csjja14n1 ihthd33 glans 40+ .avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\gzn4ud7e mnho9y54 7vepaqjm hole zn3tvn (gina,2hbt8wr).avi.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\w6csjja14n1 big fw58kpr41ob1w (sandy).mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\8r3baiec nude girls .rar.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\yzw1afy l9hwcs7vvnphd9 zn3tvn .rar.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\upfgetx sperm w6csjja14n1 [free] shoes (gina,36mho73).avi.exe
%WINDIR%\assembly\temp\wpjwijv beast gay [bangbus] latex (jade,rdl1tfkz).avi.exe
%WINDIR%\assembly\tmp\asian xakmpl apv53deiq9fw .rar.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\7nd83wovj ddqayq epyxwn zn3tvn .rar.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\viaz50 tsomq34 bq4kno (sonja).avi.exe
%WINDIR%\pla\templates\nude vjq39c1gwy eigt45 .avi.exe
%WINDIR%\security\templates\horse epyxwn zmc8ujp .mpeg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\wpjwijv bd1l5ir 8ok6yf apv53deiq9fw nmibe2 .mpeg.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\temp\jxaglwti nom72kl hot (!) .mpg.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\wpjwijv xakmpl wep6b08 nom72kl lzxyhb7k .rar.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\black lpcu5ai3 vjq39c1gwy (36mho73,dxocjwba).mpg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\f07qtt 8ok6yf ddqayq uncut hotel (dxocjwba,y8oxsqa).zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\7b6fhxi beast sgu4m7oc hole .rar.exe
%WINDIR%\syswow64\config\systemprofile\zc8giv9 xxx sgu4m7oc titts gh5b6gd7wrv .mpeg.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\z9z7rwe mnho9y54 lpcu5ai3 [milf] fw58kpr41ob1w (36mho73).mpg.exe
%WINDIR%\syswow64\fxstmp\z9z7rwe xxx uncut .zip.exe
%WINDIR%\syswow64\ime\shared\horse 8ok6yf uncut zmc8ujp (g6u8n4r).rar.exe
%WINDIR%\syswow64\config\systemprofile\f1i7cm xxx bd1l5ir uncut gsva2xn .mpeg.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\w6csjja14n1 uncut hole zn3tvn .avi.exe
%WINDIR%\syswow64\fxstmp\8ok6yf sgu4m7oc fishy (g6u8n4r,jenna).zip.exe
%WINDIR%\syswow64\ime\shared\8r3baiec beast [milf] sm .rar.exe
%WINDIR%\temp\eq7k2xcxt mzwpstr8n yzw1afy apv53deiq9fw lzxyhb7k (dxocjwba,y8oxsqa).zip.exe

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Tecnologías

Términos

Formación y educación

Mitos

Technical Information

Curing recommendations

Free trial