Trojan.KillProc2.28111

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe
<SYSTEM32>\taskhost.exe
<SYSTEM32>\dwm.exe

the following user processes:

iexplore.exe
firefox.exe

Modifies file system

Creates the following files

%WINDIR%y1s2fctrp3
%CommonProgramFiles%\microsoft shared\xakmpl sgu4m7oc ae2sd7u4xh .mpeg.exe
%ProgramFiles%\dvd maker\shared\viaz50 gay ihthd33 zn3tvn .mpg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\documentshare\eq7k2xcxt ddqayq vjq39c1gwy (cy4xpd,hyo87il).mpeg.exe
%ProgramFiles%\microsoft office\office14\groove\tooldata\groove.net\grooveforms\formstemplates\black xxx bq4kno (36mho73).rar.exe
%ProgramFiles%\microsoft office\office14\groove\xml files\space templates\eq7k2xcxt h93bklf apv53deiq9fw js80j73 .mpeg.exe
%ProgramFiles%\microsoft office\templates\horse ihthd33 feet .rar.exe
%ProgramFiles%\microsoft office\templates\1033\onenote\14\notebook templates\z9z7rwe gay mnho9y54 apv53deiq9fw .mpeg.exe
%ProgramFiles%\windows journal\templates\4h1e2a346 porn bd1l5ir big .mpeg.exe
%ProgramFiles%\windows sidebar\shared gadgets\z1qxwcd sperm [free] glans (g6u8n4r,sandy).zip.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\idtemplates\fac71w2 w6csjja14n1 big 40+ .mpg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files\asian bd1l5ir bd1l5ir nom72kl (gina).mpeg.exe
%ProgramFiles(x86)%\adobe\acrobat reader dc\reader\webresources\resource0\static\js\plugins\my-sharepoint-files-select\bd1l5ir horse 7vepaqjm .zip.exe
%CommonProgramFiles(x86)%\microsoft shared\nom72kl mnho9y54 nom72kl kfp2yqq wifey .mpg.exe
%ProgramFiles(x86)%\microsoft visual studio 8\common7\ide\vsta\itemtemplates\ikdyfwhy mzwpstr8n mnho9y54 ihthd33 779mipj (36mho73,g6u8n4r).rar.exe
%ProgramFiles(x86)%\windows sidebar\shared gadgets\bd1l5ir bq4kno fw58kpr41ob1w .zip.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\f07qtt horse 7nd83wovj sgu4m7oc .mpeg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\viaz50 cum l9hwcs7vvnphd9 .mpg.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\f07qtt mzwpstr8n lpcu5ai3 ihthd33 titts (cy4xpd,sandy).rar.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\z1qxwcd 7nd83wovj epyxwn .zip.exe
%ALLUSERSPROFILE%\templates\nude hot (!) (36mho73).rar.exe
%ALLUSERSPROFILE%\microsoft\rac\temp\s2fkave nude apv53deiq9fw boobs fw58kpr41ob1w .mpg.exe
%ALLUSERSPROFILE%\microsoft\search\data\temp\viaz50 xakmpl ihthd33 zmc8ujp .avi.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\sharepoint\horse [free] legs 8pfmdyy .mpeg.exe
%ALLUSERSPROFILE%\microsoft\windows\templates\z9z7rwe sperm mnho9y54 [bangbus] ejn547rbxhd1 .rar.exe
%ALLUSERSPROFILE%\templates\8ok6yf yzw1afy girls (y8oxsqa,dehod0).mpeg.exe
C:\users\default\appdata\local\microsoft\windows\<INETFILES>\gzn4ud7e nom72kl ihthd33 .avi.exe
C:\users\default\appdata\local\temp\s2fkave h93bklf uncut sm .rar.exe
C:\users\default\appdata\local\<INETFILES>\xakmpl uncut sgoibhh (liz).avi.exe
C:\users\default\appdata\roaming\microsoft\windows\templates\f1i7cm sperm girls feet .avi.exe
C:\users\default\templates\eq7k2xcxt xxx big zn3tvn .avi.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\viaz50 horse xxx 7vepaqjm .mpeg.exe
%TEMP%\ uncut .zip.exe
%LOCALAPPDATA%\<INETFILES>\jxaglwti wep6b08 girls (sandy).avi.exe
%LOCALAPPDATA%low\mozilla\temp-{12c7f776-de07-4d8a-a6eb-93019fcb4f66}\7b6fhxi ddqayq 7vepaqjm mg9fvb2xk9 (karin,jade).mpeg.exe
%LOCALAPPDATA%low\mozilla\temp-{28060726-42ae-4e49-b300-93149d394ff5}\z1qxwcd horse apv53deiq9fw cock nmibe2 .rar.exe
%LOCALAPPDATA%low\mozilla\temp-{bc1f1f78-2666-4310-aef7-f6fd5ba4bc43}\asian tsomq34 gay [free] .avi.exe
%APPDATA%\microsoft\templates\tsomq34 lpcu5ai3 apv53deiq9fw rv0y8n .mpeg.exe
%APPDATA%\microsoft\windows\templates\asian horse nom72kl ihthd33 legs (sandy,cy4xpd).rar.exe
%APPDATA%\mozilla\firefox\profiles\apc2n9d1.default-release\storage\temporary\jxaglwti xakmpl l9hwcs7vvnphd9 50+ .mpeg.exe
%APPDATA%\thunderbird\profiles\rehh7ft5.default-release\storage\temporary\gzn4ud7e sperm cum vjq39c1gwy girly (karin,haj1oyikd).rar.exe
%HOMEPATH%\templates\s2fkave beast uncut ejn547rbxhd1 .zip.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor\s2fkave 8ok6yf bq4kno (2hbt8wr).zip.exe
%WINDIR%\assembly\gac_32\microsoft.grouppolicy.admtmpleditor.resources\z9z7rwe ddqayq beast hot (!) zmc8ujp (jade,dehod0).mpeg.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor\horse mzwpstr8n 7vepaqjm 40+ .avi.exe
%WINDIR%\assembly\gac_64\microsoft.grouppolicy.admtmpleditor.resources\fac71w2 gay xakmpl bq4kno shoes (dehod0).avi.exe
%WINDIR%\assembly\gac_64\microsoft.sharepoint.businessdata.administration.client\cum 8ok6yf [milf] zn3tvn (rdl1tfkz).zip.exe
%WINDIR%\assembly\gac_msil\microsoft.sharepoint.businessdata.administration.client.intl\xxx sperm bq4kno jxqgtp 6tl9zg0uqa (dxocjwba).mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\viaz50 ddqayq h93bklf girls 8pfmdyy .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_32\temp\zap9e41.tmp\eq7k2xcxt 7nd83wovj 7vepaqjm .rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\porn uncut .rar.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zap6b8e.tmp\4h1e2a346 gay xakmpl uncut .mpeg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape291.tmp\black beast apv53deiq9fw .mpg.exe
%WINDIR%\assembly\nativeimages_v2.0.50727_64\temp\zape56e.tmp\zc8giv9 beast horse girls 8pfmdyy .mpeg.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_32\temp\nom72kl beast [free] kfp2yqq fw58kpr41ob1w (sarah,sonja).mpg.exe
%WINDIR%\assembly\nativeimages_v4.0.30319_64\temp\f1i7cm wep6b08 bd1l5ir l9hwcs7vvnphd9 ol6p1tua .mpg.exe
%WINDIR%\assembly\temp\z9z7rwe xxx nude bq4kno titts .mpeg.exe
%WINDIR%\assembly\tmp\bd1l5ir horse bq4kno .mpeg.exe
%WINDIR%\microsoft.net\framework\v4.0.30319\temporary asp.net files\nom72kl big cock qx2j1b5 (liz).zip.exe
%WINDIR%\microsoft.net\framework64\v4.0.30319\temporary asp.net files\s2fkave sperm [free] (cy4xpd).mpg.exe
%WINDIR%\pla\templates\sperm horse girls .mpeg.exe
%WINDIR%\security\templates\beast nude big legs .zip.exe
%WINDIR%\serviceprofiles\localservice\appdata\local\microsoft\windows\<INETFILES>\eq7k2xcxt ddqayq ddqayq apv53deiq9fw zn3tvn .avi.exe
%WINDIR%\serviceprofiles\localservice\appdata\roaming\microsoft\windows\templates\tsomq34 ihthd33 kfp2yqq eigt45 (dehod0).avi.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\microsoft\windows\<INETFILES>\0287zh bd1l5ir nom72kl 40+ (36mho73,g6u8n4r).mpeg.exe
%WINDIR%\serviceprofiles\networkservice\appdata\local\temp\zc8giv9 gay ihthd33 .zip.exe
%WINDIR%\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\templates\z1qxwcd xxx apv53deiq9fw .mpeg.exe
%WINDIR%\syswow64\config\systemprofile\8r3baiec ddqayq nom72kl (36mho73,cy4xpd).avi.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\gzn4ud7e tsomq34 cum nom72kl balls (y8oxsqa,cy4xpd).mpeg.exe
%WINDIR%\syswow64\fxstmp\horse ihthd33 cock .avi.exe
%WINDIR%\syswow64\ime\shared\gay [bangbus] sgoibhh .mpg.exe
%WINDIR%\syswow64\config\systemprofile\wep6b08 7vepaqjm 6tl9zg0uqa (36mho73,rdl1tfkz).mpeg.exe
%WINDIR%\syswow64\config\systemprofile\appdata\local\microsoft\windows\<INETFILES>\8r3baiec bd1l5ir big legs (hyo87il).avi.exe
%WINDIR%\syswow64\fxstmp\mnho9y54 nom72kl [milf] titts fw58kpr41ob1w (y8oxsqa,sonja).mpeg.exe
%WINDIR%\syswow64\ime\shared\fac71w2 w6csjja14n1 horse nom72kl legs (karin,g6u8n4r).avi.exe
%WINDIR%\temp\zc8giv9 lpcu5ai3 nom72kl bq4kno .mpeg.exe

Miscellaneous

Searches for the following windows

ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''

Restarts the analyzed sample

Executes the following

'%WINDIR%\explorer.exe'

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial