5081ca4672184aaa9e4afa22aec015b79038fcca7d7f8c0650727c541c3d884b

Resubmissions

24/02/2022, 22:11

220224-131k2sfaej 10

07/01/2021, 07:12

210107-27q11jvw52 10

Analysis

max time kernel
43s
max time network
111s
platform
windows10_x64
resource
win10v20201028
submitted
07/01/2021, 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qGHJqiji.bin.exe
Size

9KB
MD5

1c0d1af30fc12cb964335c0a20ffeedd
SHA1

20669e2263e4939732a938e1bfa2f770e0f45aa4
SHA256

5081ca4672184aaa9e4afa22aec015b79038fcca7d7f8c0650727c541c3d884b
SHA512

b0541379baca8fc491b6027958b71672de886f13713f0704201d53b140b198f750c90c953ceeed221942cfe792e39fa22684aa0dd064f2aac719da193c5213d0

Score

10^/10

evasion trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x0008000000000687-13.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Kills process with taskkill 1 IoCs

evasion

pid	Process
940	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 523 IoCs

pid	Process
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe
3132	powershell.exe
3132	powershell.exe
908	powershell.exe
908	powershell.exe
908	powershell.exe
3132	powershell.exe
908	powershell.exe
3132	powershell.exe
1852	powershell.exe
1852	powershell.exe
2228	powershell.exe
2228	powershell.exe
3412	powershell.exe
3412	powershell.exe
2228	powershell.exe
4060	powershell.exe
4060	powershell.exe
1448	powershell.exe
1448	powershell.exe
184	powershell.exe
184	powershell.exe
4228	powershell.exe
4228	powershell.exe
1852	powershell.exe
4444	powershell.exe
4444	powershell.exe
3908	powershell.exe
3908	powershell.exe
4444	powershell.exe
3412	powershell.exe
184	powershell.exe
4060	powershell.exe
4228	powershell.exe
3908	powershell.exe
1448	powershell.exe
2228	powershell.exe
1852	powershell.exe
3412	powershell.exe
184	powershell.exe
4444	powershell.exe
3908	powershell.exe
4060	powershell.exe
4228	powershell.exe
1448	powershell.exe

Suspicious use of AdjustPrivilegeToken 244 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	qGHJqiji.bin.exe
Token: SeDebugPrivilege	940	taskkill.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	184	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeIncreaseQuotaPrivilege	908	powershell.exe
Token: SeSecurityPrivilege	908	powershell.exe
Token: SeTakeOwnershipPrivilege	908	powershell.exe
Token: SeLoadDriverPrivilege	908	powershell.exe
Token: SeSystemProfilePrivilege	908	powershell.exe
Token: SeSystemtimePrivilege	908	powershell.exe
Token: SeProfSingleProcessPrivilege	908	powershell.exe
Token: SeIncBasePriorityPrivilege	908	powershell.exe
Token: SeCreatePagefilePrivilege	908	powershell.exe
Token: SeBackupPrivilege	908	powershell.exe
Token: SeRestorePrivilege	908	powershell.exe
Token: SeShutdownPrivilege	908	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeSystemEnvironmentPrivilege	908	powershell.exe
Token: SeRemoteShutdownPrivilege	908	powershell.exe
Token: SeUndockPrivilege	908	powershell.exe
Token: SeManageVolumePrivilege	908	powershell.exe
Token: 33	908	powershell.exe
Token: 34	908	powershell.exe
Token: 35	908	powershell.exe
Token: 36	908	powershell.exe
Token: SeIncreaseQuotaPrivilege	3132	powershell.exe
Token: SeSecurityPrivilege	3132	powershell.exe
Token: SeTakeOwnershipPrivilege	3132	powershell.exe
Token: SeLoadDriverPrivilege	3132	powershell.exe
Token: SeSystemProfilePrivilege	3132	powershell.exe
Token: SeSystemtimePrivilege	3132	powershell.exe
Token: SeProfSingleProcessPrivilege	3132	powershell.exe
Token: SeIncBasePriorityPrivilege	3132	powershell.exe
Token: SeCreatePagefilePrivilege	3132	powershell.exe
Token: SeBackupPrivilege	3132	powershell.exe
Token: SeRestorePrivilege	3132	powershell.exe
Token: SeShutdownPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeSystemEnvironmentPrivilege	3132	powershell.exe
Token: SeRemoteShutdownPrivilege	3132	powershell.exe
Token: SeUndockPrivilege	3132	powershell.exe
Token: SeManageVolumePrivilege	3132	powershell.exe
Token: 33	3132	powershell.exe
Token: 34	3132	powershell.exe
Token: 35	3132	powershell.exe
Token: 36	3132	powershell.exe
Token: SeIncreaseQuotaPrivilege	2228	powershell.exe
Token: SeSecurityPrivilege	2228	powershell.exe
Token: SeTakeOwnershipPrivilege	2228	powershell.exe
Token: SeLoadDriverPrivilege	2228	powershell.exe
Token: SeSystemProfilePrivilege	2228	powershell.exe
Token: SeSystemtimePrivilege	2228	powershell.exe
Token: SeProfSingleProcessPrivilege	2228	powershell.exe
Token: SeIncBasePriorityPrivilege	2228	powershell.exe
Token: SeCreatePagefilePrivilege	2228	powershell.exe
Token: SeBackupPrivilege	2228	powershell.exe
Token: SeRestorePrivilege	2228	powershell.exe
Token: SeShutdownPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeSystemEnvironmentPrivilege	2228	powershell.exe
Token: SeRemoteShutdownPrivilege	2228	powershell.exe
Token: SeUndockPrivilege	2228	powershell.exe
Token: SeManageVolumePrivilege	2228	powershell.exe
Token: 33	2228	powershell.exe
Token: 34	2228	powershell.exe
Token: 35	2228	powershell.exe
Token: 36	2228	powershell.exe
Token: SeIncreaseQuotaPrivilege	3908	powershell.exe
Token: SeSecurityPrivilege	3908	powershell.exe
Token: SeTakeOwnershipPrivilege	3908	powershell.exe
Token: SeLoadDriverPrivilege	3908	powershell.exe
Token: SeSystemProfilePrivilege	3908	powershell.exe
Token: SeSystemtimePrivilege	3908	powershell.exe
Token: SeProfSingleProcessPrivilege	3908	powershell.exe
Token: SeIncBasePriorityPrivilege	3908	powershell.exe
Token: SeCreatePagefilePrivilege	3908	powershell.exe
Token: SeBackupPrivilege	3908	powershell.exe
Token: SeRestorePrivilege	3908	powershell.exe
Token: SeShutdownPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeSystemEnvironmentPrivilege	3908	powershell.exe
Token: SeRemoteShutdownPrivilege	3908	powershell.exe
Token: SeUndockPrivilege	3908	powershell.exe
Token: SeManageVolumePrivilege	3908	powershell.exe
Token: 33	3908	powershell.exe
Token: 34	3908	powershell.exe
Token: 35	3908	powershell.exe
Token: 36	3908	powershell.exe
Token: SeIncreaseQuotaPrivilege	4228	powershell.exe
Token: SeSecurityPrivilege	4228	powershell.exe
Token: SeTakeOwnershipPrivilege	4228	powershell.exe
Token: SeLoadDriverPrivilege	4228	powershell.exe
Token: SeSystemProfilePrivilege	4228	powershell.exe
Token: SeSystemtimePrivilege	4228	powershell.exe
Token: SeProfSingleProcessPrivilege	4228	powershell.exe
Token: SeIncBasePriorityPrivilege	4228	powershell.exe
Token: SeCreatePagefilePrivilege	4228	powershell.exe
Token: SeBackupPrivilege	4228	powershell.exe
Token: SeRestorePrivilege	4228	powershell.exe
Token: SeShutdownPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeSystemEnvironmentPrivilege	4228	powershell.exe
Token: SeRemoteShutdownPrivilege	4228	powershell.exe
Token: SeUndockPrivilege	4228	powershell.exe
Token: SeManageVolumePrivilege	4228	powershell.exe
Token: 33	4228	powershell.exe
Token: 34	4228	powershell.exe
Token: 35	4228	powershell.exe
Token: 36	4228	powershell.exe
Token: SeIncreaseQuotaPrivilege	1852	powershell.exe
Token: SeSecurityPrivilege	1852	powershell.exe
Token: SeTakeOwnershipPrivilege	1852	powershell.exe
Token: SeLoadDriverPrivilege	1852	powershell.exe
Token: SeSystemProfilePrivilege	1852	powershell.exe
Token: SeSystemtimePrivilege	1852	powershell.exe
Token: SeProfSingleProcessPrivilege	1852	powershell.exe
Token: SeIncBasePriorityPrivilege	1852	powershell.exe
Token: SeCreatePagefilePrivilege	1852	powershell.exe
Token: SeBackupPrivilege	1852	powershell.exe
Token: SeRestorePrivilege	1852	powershell.exe
Token: SeShutdownPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeSystemEnvironmentPrivilege	1852	powershell.exe
Token: SeRemoteShutdownPrivilege	1852	powershell.exe
Token: SeUndockPrivilege	1852	powershell.exe
Token: SeManageVolumePrivilege	1852	powershell.exe
Token: 33	1852	powershell.exe
Token: 34	1852	powershell.exe
Token: 35	1852	powershell.exe
Token: 36	1852	powershell.exe
Token: SeIncreaseQuotaPrivilege	4444	powershell.exe
Token: SeSecurityPrivilege	4444	powershell.exe
Token: SeTakeOwnershipPrivilege	4444	powershell.exe
Token: SeLoadDriverPrivilege	4444	powershell.exe
Token: SeSystemProfilePrivilege	4444	powershell.exe
Token: SeSystemtimePrivilege	4444	powershell.exe
Token: SeProfSingleProcessPrivilege	4444	powershell.exe
Token: SeIncBasePriorityPrivilege	4444	powershell.exe
Token: SeCreatePagefilePrivilege	4444	powershell.exe
Token: SeBackupPrivilege	4444	powershell.exe
Token: SeRestorePrivilege	4444	powershell.exe
Token: SeShutdownPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeSystemEnvironmentPrivilege	4444	powershell.exe
Token: SeRemoteShutdownPrivilege	4444	powershell.exe
Token: SeUndockPrivilege	4444	powershell.exe
Token: SeManageVolumePrivilege	4444	powershell.exe
Token: 33	4444	powershell.exe
Token: 34	4444	powershell.exe
Token: 35	4444	powershell.exe
Token: 36	4444	powershell.exe
Token: SeIncreaseQuotaPrivilege	3412	powershell.exe
Token: SeSecurityPrivilege	3412	powershell.exe
Token: SeTakeOwnershipPrivilege	3412	powershell.exe
Token: SeLoadDriverPrivilege	3412	powershell.exe
Token: SeSystemProfilePrivilege	3412	powershell.exe
Token: SeSystemtimePrivilege	3412	powershell.exe
Token: SeProfSingleProcessPrivilege	3412	powershell.exe
Token: SeIncBasePriorityPrivilege	3412	powershell.exe
Token: SeCreatePagefilePrivilege	3412	powershell.exe
Token: SeBackupPrivilege	3412	powershell.exe
Token: SeRestorePrivilege	3412	powershell.exe
Token: SeShutdownPrivilege	3412	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeSystemEnvironmentPrivilege	3412	powershell.exe
Token: SeRemoteShutdownPrivilege	3412	powershell.exe
Token: SeUndockPrivilege	3412	powershell.exe
Token: SeManageVolumePrivilege	3412	powershell.exe
Token: 33	3412	powershell.exe
Token: 34	3412	powershell.exe
Token: 35	3412	powershell.exe
Token: 36	3412	powershell.exe
Token: SeIncreaseQuotaPrivilege	4060	powershell.exe
Token: SeSecurityPrivilege	4060	powershell.exe
Token: SeTakeOwnershipPrivilege	4060	powershell.exe
Token: SeLoadDriverPrivilege	4060	powershell.exe
Token: SeSystemProfilePrivilege	4060	powershell.exe
Token: SeSystemtimePrivilege	4060	powershell.exe
Token: SeProfSingleProcessPrivilege	4060	powershell.exe
Token: SeIncBasePriorityPrivilege	4060	powershell.exe
Token: SeCreatePagefilePrivilege	4060	powershell.exe
Token: SeBackupPrivilege	4060	powershell.exe
Token: SeRestorePrivilege	4060	powershell.exe
Token: SeShutdownPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeSystemEnvironmentPrivilege	4060	powershell.exe
Token: SeRemoteShutdownPrivilege	4060	powershell.exe
Token: SeUndockPrivilege	4060	powershell.exe
Token: SeManageVolumePrivilege	4060	powershell.exe
Token: 33	4060	powershell.exe
Token: 34	4060	powershell.exe
Token: 35	4060	powershell.exe
Token: 36	4060	powershell.exe
Token: SeIncreaseQuotaPrivilege	184	powershell.exe
Token: SeSecurityPrivilege	184	powershell.exe
Token: SeTakeOwnershipPrivilege	184	powershell.exe
Token: SeLoadDriverPrivilege	184	powershell.exe
Token: SeSystemProfilePrivilege	184	powershell.exe
Token: SeSystemtimePrivilege	184	powershell.exe
Token: SeProfSingleProcessPrivilege	184	powershell.exe
Token: SeIncBasePriorityPrivilege	184	powershell.exe
Token: SeCreatePagefilePrivilege	184	powershell.exe
Token: SeBackupPrivilege	184	powershell.exe
Token: SeRestorePrivilege	184	powershell.exe
Token: SeShutdownPrivilege	184	powershell.exe
Token: SeDebugPrivilege	184	powershell.exe
Token: SeSystemEnvironmentPrivilege	184	powershell.exe
Token: SeRemoteShutdownPrivilege	184	powershell.exe
Token: SeUndockPrivilege	184	powershell.exe
Token: SeManageVolumePrivilege	184	powershell.exe
Token: 33	184	powershell.exe
Token: 34	184	powershell.exe
Token: 35	184	powershell.exe
Token: 36	184	powershell.exe
Token: SeIncreaseQuotaPrivilege	1448	powershell.exe
Token: SeSecurityPrivilege	1448	powershell.exe
Token: SeTakeOwnershipPrivilege	1448	powershell.exe
Token: SeLoadDriverPrivilege	1448	powershell.exe
Token: SeSystemProfilePrivilege	1448	powershell.exe
Token: SeSystemtimePrivilege	1448	powershell.exe
Token: SeProfSingleProcessPrivilege	1448	powershell.exe
Token: SeIncBasePriorityPrivilege	1448	powershell.exe
Token: SeCreatePagefilePrivilege	1448	powershell.exe
Token: SeBackupPrivilege	1448	powershell.exe
Token: SeRestorePrivilege	1448	powershell.exe
Token: SeShutdownPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeSystemEnvironmentPrivilege	1448	powershell.exe
Token: SeRemoteShutdownPrivilege	1448	powershell.exe
Token: SeUndockPrivilege	1448	powershell.exe
Token: SeManageVolumePrivilege	1448	powershell.exe
Token: 33	1448	powershell.exe
Token: 34	1448	powershell.exe
Token: 35	1448	powershell.exe
Token: 36	1448	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2604	qGHJqiji.bin.exe
2604	qGHJqiji.bin.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 1556	2604	qGHJqiji.bin.exe	74
PID 2604 wrote to memory of 1556	2604	qGHJqiji.bin.exe	74
PID 3356 wrote to memory of 1276	3356	cmd.exe	79
PID 3356 wrote to memory of 1276	3356	cmd.exe	79
PID 1276 wrote to memory of 1012	1276	WScript.exe	82
PID 1276 wrote to memory of 1012	1276	WScript.exe	82
PID 1012 wrote to memory of 3132	1012	WScript.exe	83
PID 1012 wrote to memory of 3132	1012	WScript.exe	83
PID 1012 wrote to memory of 908	1012	WScript.exe	84
PID 1012 wrote to memory of 908	1012	WScript.exe	84
PID 1012 wrote to memory of 1852	1012	WScript.exe	87
PID 1012 wrote to memory of 1852	1012	WScript.exe	87
PID 1012 wrote to memory of 2228	1012	WScript.exe	88
PID 1012 wrote to memory of 2228	1012	WScript.exe	88
PID 1012 wrote to memory of 3412	1012	WScript.exe	91
PID 1012 wrote to memory of 3412	1012	WScript.exe	91
PID 1012 wrote to memory of 4060	1012	WScript.exe	92
PID 1012 wrote to memory of 4060	1012	WScript.exe	92
PID 1012 wrote to memory of 184	1012	WScript.exe	95
PID 1012 wrote to memory of 184	1012	WScript.exe	95
PID 1012 wrote to memory of 3908	1012	WScript.exe	97
PID 1012 wrote to memory of 3908	1012	WScript.exe	97
PID 1012 wrote to memory of 1448	1012	WScript.exe	98
PID 1012 wrote to memory of 1448	1012	WScript.exe	98
PID 1012 wrote to memory of 4228	1012	WScript.exe	101
PID 1012 wrote to memory of 4228	1012	WScript.exe	101
PID 1012 wrote to memory of 4444	1012	WScript.exe	103
PID 1012 wrote to memory of 4444	1012	WScript.exe	103

C:\Users\Admin\AppData\Local\Temp\qGHJqiji.bin.exe
"C:\Users\Admin\AppData\Local\Temp\qGHJqiji.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604
- \??\c:\windows\system32\cmstp.exe
  "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\gvfid14o.inf
  2⤵
  PID:1556

C:\Windows\system32\cmd.exe
cmd /c start C:\Windows\temp\ecacxa3p.vbs
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\temp\ecacxa3p.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\temp\ecacxa3p.vbs" /elevate
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4444

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/184-32-0x00007FF896AB0000-0x00007FF89749C000-memory.dmp

Filesize
9.9MB

Download
memory/908-24-0x00007FF896AB0000-0x00007FF89749C000-memory.dmp

Filesize
9.9MB

Download
memory/908-39-0x00000111511E0000-0x00000111511E1000-memory.dmp

Filesize
4KB

Download
memory/1448-35-0x00007FF896AB0000-0x00007FF89749C000-memory.dmp

Filesize
9.9MB

Download
memory/1556-9-0x00000119D9AE0000-0x00000119D9AE1000-memory.dmp

Filesize
4KB

Download
memory/1556-7-0x00000119D9AE0000-0x00000119D9AE1000-memory.dmp

Filesize
4KB

Download
memory/1852-27-0x00007FF896AB0000-0x00007FF89749C000-memory.dmp

Filesize
9.9MB

Download
memory/2228-28-0x00007FF896AB0000-0x00007FF89749C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-3-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/2604-2-0x00007FF897CB0000-0x00007FF89869C000-memory.dmp

Filesize
9.9MB

Download
memory/3132-34-0x0000016D287B0000-0x0000016D287B1000-memory.dmp

Filesize
4KB

Download
memory/3132-21-0x00007FF896AB0000-0x00007FF89749C000-memory.dmp

Filesize
9.9MB

Download
memory/3412-29-0x00007FF896AB0000-0x00007FF89749C000-memory.dmp

Filesize
9.9MB

Download
memory/3908-33-0x00007FF896AB0000-0x00007FF89749C000-memory.dmp

Filesize
9.9MB

Download
memory/4060-31-0x00007FF896AB0000-0x00007FF89749C000-memory.dmp

Filesize
9.9MB

Download
memory/4228-38-0x00007FF896AB0000-0x00007FF89749C000-memory.dmp

Filesize
9.9MB

Download
memory/4444-40-0x00007FF896AB0000-0x00007FF89749C000-memory.dmp

Filesize
9.9MB

Download