Trojan.KillProc2.17915

Technical Information

To ensure autorun and distribution

Sets the following service settings

[<HKLM>\SYSTEM\CurrentControlSet\Services\SysMain] 'Start' = '00000002'

Malicious functions

Executes the following

'<SYSTEM32>\taskkill.exe' /F /IM explorer.exe

Terminates or attempts to terminate

the following system processes:

%WINDIR%\explorer.exe

Modifies file system

Creates the following files

%TEMP%\8yi7aeb1.bat
nul

Deletes the following files

%TEMP%\8yi7aeb1.bat

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''
ClassName: 'Progman' WindowName: ''
ClassName: 'Proxy Desktop' WindowName: ''
ClassName: 'SystemTray_Main' WindowName: ''
ClassName: 'Media Center Tray Applet' WindowName: ''
ClassName: '' WindowName: 'View Available Networks'
ClassName: 'BluetoothNotificationAreaIconWindowClass' WindowName: 'BluetoothNotificationAreaIconWindowClass'
ClassName: 'BluetoothNotificationAreaIconWindowClass' WindowName: ''

Creates and executes the following

'<SYSTEM32>\cmd.exe' /c ""%TEMP%\8YI7AEB1.bat" "<Full path to file>" "' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /c ""%TEMP%\8YI7AEB1.bat" "<Full path to file>" "
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\DWM" /v "Composition" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseQualityUpdatesEndTime" /t REG_SZ /d "2030-01-01T10:38:56Z" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseFeatureUpdatesEndTime" /t REG_SZ /d "2030-01-01T10:38:56Z" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseUpdatesExpiryTime" /t REG_SZ /d "2030-01-01T10:38:56Z" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseQualityUpdatesStartTime" /t REG_SZ /d "2019-07-28T10:38:56Z" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PauseFeatureUpdatesStartTime" /t REG_SZ /d "2019-07-28T10:38:56Z" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "PendingRebootStartTime" /t REG_SZ /d "2019-07-28T03:07:38Z" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "InsiderProgramEnabled" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "UxOption" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "LastToastAction" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "FlightCommitted" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "ExcludeWUDriversInQualityUpdate" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\DWM" /v "AccentColorInactive" /t REG_DWORD /d "4278452741" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "DeferQualityUpdatesPeriodInDays" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "AllowAutoWindowsUpdateDownloadOverMeteredNetwork" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "ActiveHoursStart" /t REG_DWORD /d "8" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "ActiveHoursEnd" /t REG_DWORD /d "17" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX" /v "IsConvergedUpdateStackEnabled" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedQualityStatus" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings" /v "PausedFeatureStatus" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v "DisableNotificationCenter" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\WinRM" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\WbioSrvc" /v "Start" /t REG_DWORD /d "3" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\SysMain" /v "Start" /t REG_DWORD /d "2" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings" /v "DeferFeatureUpdatesPeriodInDays" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentPalette" /f
'<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /Disable
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\DWM" /v "ColorizationAfterglow" /t REG_DWORD /d "984850" /f
'<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /Disable
'<SYSTEM32>\schtasks.exe' /Change /TN "Microsoft\Windows\LanguageComponentsInstaller\Installation" /Disable
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement" /v "ScoobeSystemSettingEnabled" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "UseOLEDTaskbarTransparency" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "IconsOnly" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "IconsOnly" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisableThumbnails" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisableThumbnails" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Control Panel\Desktop" /v "JPEGImportQuality" /t REG_DWORD /d "256" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "StartColorMenu" /t REG_DWORD /d "2164772" /f
'<SYSTEM32>\reg.exe' add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v "AccentColorMenu" /t REG_DWORD /d "4279174930" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "SystemUsesLightTheme" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "EnableTransparency" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "ColorPrevalence" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\DWM" /v "EnableAeroPeek" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\DWM" /v "ColorPrevalence" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\DWM" /v "AccentColor" /t REG_DWORD /d "984850" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\DWM" /v "ColorizationGlassAttribute" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\DWM" /v "EnableWindowColorization" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\DWM" /v "ColorizationBlurBalance" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\DWM" /v "ColorizationAfterglowBalance" /t REG_DWORD /d "10" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\DWM" /v "ColorizationColor" /t REG_DWORD /d "984850" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\DWM" /v "ColorizationColorBalance" /t REG_DWORD /d "89" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\RetailDemo" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\WOW6432Node\GhostSpectre" /v "Ghost_Mode" /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:maps;cortana;cortana-language;windowsinsider;windowsinsider-optin;findmydev...
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "SnapToVideoV11" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "StartInMediaGuide" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "AskMeAgain" /t REG_SZ /d "No" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "SendUserGUID" /t REG_BINARY /d "00" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "UsageTracking" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "DisableMRU" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "SilentDRMConfiguration" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "SilentAcquisition" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "MetadataRetrieval" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "LibraryHasBeenRun" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "FlushRatingsToFiles" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex" /v "EnableFindMyFiles" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "FirstRun" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "DeleteRemovesFromComputer" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "AutoAddVideoToLibrary" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "AutoAddMusicToLibrary" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "AddVideosFromPicturesLibrary" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "AcceptedPrivacyStatement" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\WindowsMediaPlayer" /v "GroupPrivacyAcceptance" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework" /v "OnlyUseLatestCLR" /t REG_DWORD /d 1 /f
'<SYSTEM32>\reg.exe' ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework" /v "OnlyUseLatestCLR" /t REG_DWORD /d 1 /f
'<SYSTEM32>\cscript.exe' //B "<SYSTEM32>\slmgr.vbs" /ipk D9W3G-NR2D7-6W3RK-WDD4J-7FR9G
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowCortanaButton" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "SearchboxTaskbarMode" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\MediaPlayer\Preferences" /v "DisableLicenseRefresh" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\SENS" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\PNRPAutoReg" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Biometrics" /v "Enabled" /t REG_DWORD /d 0 /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\PhoneSvc" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\p2pimsvc" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\p2psvc" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\PNRPsvc" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\SEMgrSvc" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\CscService" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\SmsRouter" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\MapsBroker" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\cbdhsvc" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\PeerDistSvc" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\AssignedAccessManagerSvc" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\DiagTrack" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "3" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\UevAgentService" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\TabletInputService" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Services\WpnService" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\PushNotifications" /v "ToastEnabled" /t REG_DWORD /d "0" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKCU\Software\Policies\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d "1" /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows\Personalization" /v "NoLockScreen" /t REG_DWORD /d "0" /f
'<SYSTEM32>\attrib.exe' +h /s /d "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\CPUID"
'<SYSTEM32>\attrib.exe' +h /s /d "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\7-Zip"
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "GameDVR_Enabled" /t REG_DWORD /d 0 /f
'<SYSTEM32>\reg.exe' ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d 0 /f
'<SYSTEM32>\powercfg.exe' /h off
'<SYSTEM32>\reg.exe' DELETE "HKLM\SOFTWARE\NTLite" /f
'%WINDIR%\explorer.exe'

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial