Windows Analysis Report
whrbuflqwhah.exe

Overview

General Information

Sample name: whrbuflqwhah.exe
Analysis ID: 1538050
MD5: 99201be105bf0a4b25d9c5113da723fb
SHA1: 443e6e285063f67cb46676b3951733592d569a7c
SHA256: e4eda2de1dab7a3891b0ed6eff0ccd905ff4b275150004c6eb5f1d6582eea9a2
Tags: Coinerexeuser-susu99069042
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Stop EventLog
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd or bat file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Writes to foreign memory regions
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Powershell Defender Exclusion
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe ReversingLabs: Detection: 63%
Source: C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe Virustotal: Detection: 71% Perma Link
Multi AV Scanner detection for submitted file
Source: whrbuflqwhah.exe ReversingLabs: Detection: 63%
Source: whrbuflqwhah.exe Virustotal: Detection: 71% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: whrbuflqwhah.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Code function: 3_2_000002C5CCF7DCE0 FindFirstFileExW, 3_2_000002C5CCF7DCE0
Source: C:\Windows\System32\winlogon.exe Code function: 22_2_00000225DC64DCE0 FindFirstFileExW, 22_2_00000225DC64DCE0
Source: C:\Windows\System32\lsass.exe Code function: 31_2_00000202C0AEDCE0 FindFirstFileExW, 31_2_00000202C0AEDCE0
Source: C:\Windows\System32\svchost.exe Code function: 32_2_000002A66130DCE0 FindFirstFileExW, 32_2_000002A66130DCE0
Source: C:\Windows\System32\dwm.exe Code function: 33_2_000002BAAEDDDCE0 FindFirstFileExW, 33_2_000002BAAEDDDCE0
Source: C:\Windows\System32\svchost.exe Code function: 34_2_0000026A879CDCE0 FindFirstFileExW, 34_2_0000026A879CDCE0
Source: C:\Windows\System32\svchost.exe Code function: 35_2_00000179537ADCE0 FindFirstFileExW, 35_2_00000179537ADCE0
Source: C:\Windows\System32\svchost.exe Code function: 36_2_000002295D56DCE0 FindFirstFileExW, 36_2_000002295D56DCE0
Source: C:\Windows\System32\svchost.exe Code function: 37_2_0000025306E6DCE0 FindFirstFileExW, 37_2_0000025306E6DCE0
Source: C:\Windows\System32\svchost.exe Code function: 38_2_000001845B3ADCE0 FindFirstFileExW, 38_2_000001845B3ADCE0
Source: C:\Windows\System32\svchost.exe Code function: 39_2_000001ADECD4DCE0 FindFirstFileExW, 39_2_000001ADECD4DCE0
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000001D55907DCE0 FindFirstFileExW, 40_2_000001D55907DCE0
Source: C:\Windows\System32\svchost.exe Code function: 41_2_00000241A9EADCE0 FindFirstFileExW, 41_2_00000241A9EADCE0
Source: C:\Windows\System32\svchost.exe Code function: 42_2_000001CD7319DCE0 FindFirstFileExW, 42_2_000001CD7319DCE0
Source: C:\Windows\System32\svchost.exe Code function: 43_2_000002824E89DCE0 FindFirstFileExW, 43_2_000002824E89DCE0
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000021B47B3DCE0 FindFirstFileExW, 44_2_0000021B47B3DCE0
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002087006DCE0 FindFirstFileExW, 45_2_000002087006DCE0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCer
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCerbalRP
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: lsass.exe, 0000001F.00000002.3097392609.00000202C0390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0~

Spam, unwanted Advertisements and Ransom Demands
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\whrbuflqwhah.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\System32\dialer.exe Code function: 17_2_00000001400010C0 OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle, 17_2_00000001400010C0
Source: C:\Windows\System32\winlogon.exe Code function: 22_2_00000225DC6428C8 NtEnumerateValueKey,NtEnumerateValueKey, 22_2_00000225DC6428C8
Source: C:\Windows\System32\lsass.exe Code function: 31_2_00000202C0AE202C NtQuerySystemInformation,StrCmpNIW, 31_2_00000202C0AE202C
Source: C:\Windows\System32\lsass.exe Code function: 31_2_00000202C0AE253C NtQueryDirectoryFileEx,GetFileType,StrCpyW, 31_2_00000202C0AE253C
Source: C:\Windows\System32\dwm.exe Code function: 33_2_000002BAAEDD28C8 NtEnumerateValueKey,NtEnumerateValueKey, 33_2_000002BAAEDD28C8
Detected potential crypto function
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Code function: 3_2_000002C5CCF41F2C 3_2_000002C5CCF41F2C
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Code function: 3_2_000002C5CCF4D0E0 3_2_000002C5CCF4D0E0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Code function: 3_2_000002C5CCF538A8 3_2_000002C5CCF538A8
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Code function: 3_2_000002C5CCF72B2C 3_2_000002C5CCF72B2C
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Code function: 3_2_000002C5CCF7DCE0 3_2_000002C5CCF7DCE0
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Code function: 3_2_000002C5CCF844A8 3_2_000002C5CCF844A8
Source: C:\Windows\System32\dialer.exe Code function: 17_2_000000014000226C 17_2_000000014000226C
Source: C:\Windows\System32\dialer.exe Code function: 17_2_00000001400014D8 17_2_00000001400014D8
Source: C:\Windows\System32\dialer.exe Code function: 17_2_0000000140002560 17_2_0000000140002560
Source: C:\Windows\System32\winlogon.exe Code function: 22_2_00000225DC611F2C 22_2_00000225DC611F2C
Source: C:\Windows\System32\winlogon.exe Code function: 22_2_00000225DC61D0E0 22_2_00000225DC61D0E0
Source: C:\Windows\System32\winlogon.exe Code function: 22_2_00000225DC6238A8 22_2_00000225DC6238A8
Source: C:\Windows\System32\winlogon.exe Code function: 22_2_00000225DC642B2C 22_2_00000225DC642B2C
Source: C:\Windows\System32\winlogon.exe Code function: 22_2_00000225DC64DCE0 22_2_00000225DC64DCE0
Source: C:\Windows\System32\winlogon.exe Code function: 22_2_00000225DC6544A8 22_2_00000225DC6544A8
Source: C:\Windows\System32\lsass.exe Code function: 31_2_00000202C0AB1F2C 31_2_00000202C0AB1F2C
Source: C:\Windows\System32\lsass.exe Code function: 31_2_00000202C0AC38A8 31_2_00000202C0AC38A8
Source: C:\Windows\System32\lsass.exe Code function: 31_2_00000202C0ABD0E0 31_2_00000202C0ABD0E0
Source: C:\Windows\System32\lsass.exe Code function: 31_2_00000202C0AE2B2C 31_2_00000202C0AE2B2C
Source: C:\Windows\System32\lsass.exe Code function: 31_2_00000202C0AF44A8 31_2_00000202C0AF44A8
Source: C:\Windows\System32\lsass.exe Code function: 31_2_00000202C0AEDCE0 31_2_00000202C0AEDCE0
Source: C:\Windows\System32\svchost.exe Code function: 32_2_000002A6612D1F2C 32_2_000002A6612D1F2C
Source: C:\Windows\System32\svchost.exe Code function: 32_2_000002A6612DD0E0 32_2_000002A6612DD0E0
Source: C:\Windows\System32\svchost.exe Code function: 32_2_000002A6612E38A8 32_2_000002A6612E38A8
Source: C:\Windows\System32\svchost.exe Code function: 32_2_000002A661302B2C 32_2_000002A661302B2C
Source: C:\Windows\System32\svchost.exe Code function: 32_2_000002A66131AEC5 32_2_000002A66131AEC5
Source: C:\Windows\System32\svchost.exe Code function: 32_2_000002A66130DCE0 32_2_000002A66130DCE0
Source: C:\Windows\System32\svchost.exe Code function: 32_2_000002A6613144A8 32_2_000002A6613144A8
Source: C:\Windows\System32\dwm.exe Code function: 33_2_000002BAAEDA1F2C 33_2_000002BAAEDA1F2C
Source: C:\Windows\System32\dwm.exe Code function: 33_2_000002BAAEDAD0E0 33_2_000002BAAEDAD0E0
Source: C:\Windows\System32\dwm.exe Code function: 33_2_000002BAAEDB38A8 33_2_000002BAAEDB38A8
Source: C:\Windows\System32\dwm.exe Code function: 33_2_000002BAAEDD2B2C 33_2_000002BAAEDD2B2C
Source: C:\Windows\System32\dwm.exe Code function: 33_2_000002BAAEDDDCE0 33_2_000002BAAEDDDCE0
Source: C:\Windows\System32\dwm.exe Code function: 33_2_000002BAAEDE44A8 33_2_000002BAAEDE44A8
Source: C:\Windows\System32\svchost.exe Code function: 34_2_0000026A8799D0E0 34_2_0000026A8799D0E0
Source: C:\Windows\System32\svchost.exe Code function: 34_2_0000026A879A38A8 34_2_0000026A879A38A8
Source: C:\Windows\System32\svchost.exe Code function: 34_2_0000026A87991F2C 34_2_0000026A87991F2C
Source: C:\Windows\System32\svchost.exe Code function: 34_2_0000026A879CDCE0 34_2_0000026A879CDCE0
Source: C:\Windows\System32\svchost.exe Code function: 34_2_0000026A879D44A8 34_2_0000026A879D44A8
Source: C:\Windows\System32\svchost.exe Code function: 34_2_0000026A879C2B2C 34_2_0000026A879C2B2C
Source: C:\Windows\System32\svchost.exe Code function: 35_2_00000179537838A8 35_2_00000179537838A8
Source: C:\Windows\System32\svchost.exe Code function: 35_2_000001795377D0E0 35_2_000001795377D0E0
Source: C:\Windows\System32\svchost.exe Code function: 35_2_0000017953771F2C 35_2_0000017953771F2C
Source: C:\Windows\System32\svchost.exe Code function: 35_2_00000179537B44A8 35_2_00000179537B44A8
Source: C:\Windows\System32\svchost.exe Code function: 35_2_00000179537ADCE0 35_2_00000179537ADCE0
Source: C:\Windows\System32\svchost.exe Code function: 35_2_00000179537A2B2C 35_2_00000179537A2B2C
Source: C:\Windows\System32\svchost.exe Code function: 36_2_000002295D53D0E0 36_2_000002295D53D0E0
Source: C:\Windows\System32\svchost.exe Code function: 36_2_000002295D5438A8 36_2_000002295D5438A8
Source: C:\Windows\System32\svchost.exe Code function: 36_2_000002295D531F2C 36_2_000002295D531F2C
Source: C:\Windows\System32\svchost.exe Code function: 36_2_000002295D56DCE0 36_2_000002295D56DCE0
Source: C:\Windows\System32\svchost.exe Code function: 36_2_000002295D5744A8 36_2_000002295D5744A8
Source: C:\Windows\System32\svchost.exe Code function: 36_2_000002295D562B2C 36_2_000002295D562B2C
Source: C:\Windows\System32\svchost.exe Code function: 37_2_00000253067D1F2C 37_2_00000253067D1F2C
Source: C:\Windows\System32\svchost.exe Code function: 37_2_00000253067DD0E0 37_2_00000253067DD0E0
Source: C:\Windows\System32\svchost.exe Code function: 37_2_00000253067E38A8 37_2_00000253067E38A8
Source: C:\Windows\System32\svchost.exe Code function: 37_2_0000025306E62B2C 37_2_0000025306E62B2C
Source: C:\Windows\System32\svchost.exe Code function: 37_2_0000025306E6DCE0 37_2_0000025306E6DCE0
Source: C:\Windows\System32\svchost.exe Code function: 37_2_0000025306E744A8 37_2_0000025306E744A8
Source: C:\Windows\System32\svchost.exe Code function: 38_2_000001845B3B44A8 38_2_000001845B3B44A8
Source: C:\Windows\System32\svchost.exe Code function: 38_2_000001845B3ADCE0 38_2_000001845B3ADCE0
Source: C:\Windows\System32\svchost.exe Code function: 38_2_000001845B3A2B2C 38_2_000001845B3A2B2C
Source: C:\Windows\System32\svchost.exe Code function: 39_2_000001ADECD4DCE0 39_2_000001ADECD4DCE0
Source: C:\Windows\System32\svchost.exe Code function: 39_2_000001ADECD544A8 39_2_000001ADECD544A8
Source: C:\Windows\System32\svchost.exe Code function: 39_2_000001ADECD42B2C 39_2_000001ADECD42B2C
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000001D5590538A8 40_2_000001D5590538A8
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000001D55904D0E0 40_2_000001D55904D0E0
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000001D559041F2C 40_2_000001D559041F2C
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000001D5590844A8 40_2_000001D5590844A8
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000001D55907DCE0 40_2_000001D55907DCE0
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000001D559072B2C 40_2_000001D559072B2C
Source: C:\Windows\System32\svchost.exe Code function: 41_2_00000241A9EA2B2C 41_2_00000241A9EA2B2C
Source: C:\Windows\System32\svchost.exe Code function: 41_2_00000241A9EADCE0 41_2_00000241A9EADCE0
Source: C:\Windows\System32\svchost.exe Code function: 41_2_00000241A9EB44A8 41_2_00000241A9EB44A8
Source: C:\Windows\System32\svchost.exe Code function: 42_2_000001CD73161F2C 42_2_000001CD73161F2C
Source: C:\Windows\System32\svchost.exe Code function: 42_2_000001CD731738A8 42_2_000001CD731738A8
Source: C:\Windows\System32\svchost.exe Code function: 42_2_000001CD7316D0E0 42_2_000001CD7316D0E0
Source: C:\Windows\System32\svchost.exe Code function: 42_2_000001CD73192B2C 42_2_000001CD73192B2C
Source: C:\Windows\System32\svchost.exe Code function: 42_2_000001CD731A44A8 42_2_000001CD731A44A8
Source: C:\Windows\System32\svchost.exe Code function: 42_2_000001CD7319DCE0 42_2_000001CD7319DCE0
Source: C:\Windows\System32\svchost.exe Code function: 43_2_000002824E86D0E0 43_2_000002824E86D0E0
Source: C:\Windows\System32\svchost.exe Code function: 43_2_000002824E8738A8 43_2_000002824E8738A8
Source: C:\Windows\System32\svchost.exe Code function: 43_2_000002824E861F2C 43_2_000002824E861F2C
Source: C:\Windows\System32\svchost.exe Code function: 43_2_000002824E89DCE0 43_2_000002824E89DCE0
Source: C:\Windows\System32\svchost.exe Code function: 43_2_000002824E8A44A8 43_2_000002824E8A44A8
Source: C:\Windows\System32\svchost.exe Code function: 43_2_000002824E892B2C 43_2_000002824E892B2C
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000021B473CD0E0 44_2_0000021B473CD0E0
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000021B473D38A8 44_2_0000021B473D38A8
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000021B473C1F2C 44_2_0000021B473C1F2C
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000021B47B3DCE0 44_2_0000021B47B3DCE0
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000021B47B444A8 44_2_0000021B47B444A8
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000021B47B32B2C 44_2_0000021B47B32B2C
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002086F9E38A8 45_2_000002086F9E38A8
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002086F9DD0E0 45_2_000002086F9DD0E0
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002086F9D1F2C 45_2_000002086F9D1F2C
Source: C:\Windows\System32\svchost.exe Code function: 45_2_0000020870062B2C 45_2_0000020870062B2C
Source: C:\Windows\System32\svchost.exe Code function: 45_2_00000208700744A8 45_2_00000208700744A8
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002087006DCE0 45_2_000002087006DCE0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe E4EDA2DE1DAB7A3891B0ED6EFF0CCD905FF4B275150004C6EB5F1D6582EEA9A2
Source: classification engine Classification label: mal100.adwa.evad.winEXE@45/67@0/0
Source: C:\Windows\System32\dialer.exe Code function: 17_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx, 17_2_000000014000226C
Source: C:\Windows\System32\dialer.exe Code function: 17_2_00000001400019C4 SysAllocString,SysAllocString,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,VariantInit,CoUninitialize,SysFreeString,SysFreeString, 17_2_00000001400019C4
Source: C:\Windows\System32\dialer.exe Code function: 17_2_000000014000226C GetCurrentProcessId,OpenProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,FindResourceExA,SizeofResource,LoadResource,LockResource,GetCurrentProcessId,RegCreateKeyExW,ConvertStringSecurityDescriptorToSecurityDescriptorW,RegSetKeySecurity,LocalFree,RegCreateKeyExW,GetCurrentProcessId,RegSetValueExW,RegCloseKey,RegCloseKey,CreateThread,GetProcessHeap,HeapAlloc,CreateThread,CreateThread,SleepEx, 17_2_000000014000226C
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7948:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7680:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7292:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_keg54dfm.zgo.ps1 Jump to behavior
Source: whrbuflqwhah.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: whrbuflqwhah.exe ReversingLabs: Detection: 63%
Source: whrbuflqwhah.exe Virustotal: Detection: 71%
Source: C:\Users\user\Desktop\whrbuflqwhah.exe File read: C:\Users\user\Desktop\whrbuflqwhah.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\whrbuflqwhah.exe "C:\Users\user\Desktop\whrbuflqwhah.exe"
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "RYVSUJUA"
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto"
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "RYVSUJUA"
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\whrbuflqwhah.exe"
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop WaaSMedicSvc Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop wuauserv Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop bits Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop dosvc Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe delete "RYVSUJUA" Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto" Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop eventlog Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe start "RYVSUJUA" Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\whrbuflqwhah.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3 Jump to behavior
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wusa.exe Section loaded: dpx.dll Jump to behavior
Source: C:\Windows\System32\wusa.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\wusa.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wusa.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wusa.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\dialer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: whrbuflqwhah.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: whrbuflqwhah.exe Static file information: File size 5512704 > 1048576
Source: whrbuflqwhah.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x52a800
Source: whrbuflqwhah.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: whrbuflqwhah.exe Static PE information: section name: .00cfg
Source: whrbuflqwhah.exe.0.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Code function: 3_2_000002C5CCF5ACDD push rcx; retf 003Fh 3_2_000002C5CCF5ACDE
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Code function: 3_2_000002C5CCF8C6DD push rcx; retf 003Fh 3_2_000002C5CCF8C6DE
Source: C:\Windows\System32\winlogon.exe Code function: 22_2_00000225DC62ACDD push rcx; retf 003Fh 22_2_00000225DC62ACDE
Source: C:\Windows\System32\winlogon.exe Code function: 22_2_00000225DC65C6DD push rcx; retf 003Fh 22_2_00000225DC65C6DE
Source: C:\Windows\System32\lsass.exe Code function: 31_2_00000202C0ACACDD push rcx; retf 003Fh 31_2_00000202C0ACACDE
Source: C:\Windows\System32\lsass.exe Code function: 31_2_00000202C0AFC6DD push rcx; retf 003Fh 31_2_00000202C0AFC6DE
Source: C:\Windows\System32\svchost.exe Code function: 32_2_000002A6612EACDD push rcx; retf 003Fh 32_2_000002A6612EACDE
Source: C:\Windows\System32\svchost.exe Code function: 32_2_000002A66131C6DD push rcx; retf 003Fh 32_2_000002A66131C6DE
Source: C:\Windows\System32\dwm.exe Code function: 33_2_000002BAAEDBACDD push rcx; retf 003Fh 33_2_000002BAAEDBACDE
Source: C:\Windows\System32\dwm.exe Code function: 33_2_000002BAAEDEC6DD push rcx; retf 003Fh 33_2_000002BAAEDEC6DE
Source: C:\Windows\System32\svchost.exe Code function: 34_2_0000026A879AACDD push rcx; retf 003Fh 34_2_0000026A879AACDE
Source: C:\Windows\System32\svchost.exe Code function: 35_2_000001795378ACDD push rcx; retf 003Fh 35_2_000001795378ACDE
Source: C:\Windows\System32\svchost.exe Code function: 35_2_00000179537BC6DD push rcx; retf 003Fh 35_2_00000179537BC6DE
Source: C:\Windows\System32\svchost.exe Code function: 36_2_000002295D54ACDD push rcx; retf 003Fh 36_2_000002295D54ACDE
Source: C:\Windows\System32\svchost.exe Code function: 36_2_000002295D57C6DD push rcx; retf 003Fh 36_2_000002295D57C6DE
Source: C:\Windows\System32\svchost.exe Code function: 37_2_00000253067EACDD push rcx; retf 003Fh 37_2_00000253067EACDE
Source: C:\Windows\System32\svchost.exe Code function: 37_2_0000025306E7C6DD push rcx; retf 003Fh 37_2_0000025306E7C6DE
Source: C:\Windows\System32\svchost.exe Code function: 38_2_000001845B3BC6DD push rcx; retf 003Fh 38_2_000001845B3BC6DE
Source: C:\Windows\System32\svchost.exe Code function: 39_2_000001ADECD5C6DD push rcx; retf 003Fh 39_2_000001ADECD5C6DE
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000001D55905ACDD push rcx; retf 003Fh 40_2_000001D55905ACDE
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000001D55908C6DD push rcx; retf 003Fh 40_2_000001D55908C6DE
Source: C:\Windows\System32\svchost.exe Code function: 41_2_00000241A9EBC6DD push rcx; retf 003Fh 41_2_00000241A9EBC6DE
Source: C:\Windows\System32\svchost.exe Code function: 42_2_000001CD7317ACDD push rcx; retf 003Fh 42_2_000001CD7317ACDE
Source: C:\Windows\System32\svchost.exe Code function: 42_2_000001CD731AC6DD push rcx; retf 003Fh 42_2_000001CD731AC6DE
Source: C:\Windows\System32\svchost.exe Code function: 43_2_000002824E87ACDD push rcx; retf 003Fh 43_2_000002824E87ACDE
Source: C:\Windows\System32\svchost.exe Code function: 43_2_000002824E8AC6DD push rcx; retf 003Fh 43_2_000002824E8AC6DE
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000021B473DACDD push rcx; retf 003Fh 44_2_0000021B473DACDE
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000021B47B4C6DD push rcx; retf 003Fh 44_2_0000021B47B4C6DE
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002086F9EACDD push rcx; retf 003Fh 45_2_000002086F9EACDE
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002087007C6DD push rcx; retf 003Fh 45_2_000002087007C6DE

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Windows\System32\lsass.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Windows\System32\lsass.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\whrbuflqwhah.exe File created: C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\whrbuflqwhah.exe File created: C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe Jump to dropped file
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\sc.exe C:\Windows\system32\sc.exe stop UsoSvc

Hooking and other Techniques for Hiding and Protection
barindex
Hooks files or directories query functions (used to hide files and directories)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
Hooks processes query functions (used to hide processes)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\whrbuflqwhah.exe"
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\user\Desktop\whrbuflqwhah.exe" Jump to behavior
Stores large binary data to the registry
Source: C:\Windows\System32\lsass.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\dialer.exe Code function: OpenProcess,OpenProcess,K32GetModuleFileNameExW,PathFindFileNameW,lstrlenW,StrCpyW,CloseHandle,StrCmpIW,NtQueryInformationProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,StrStrA,VirtualAllocEx,WriteProcessMemory,NtCreateThreadEx,WaitForSingleObject,GetExitCodeThread,CloseHandle,CloseHandle, 17_2_00000001400010C0
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5683 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4171 Jump to behavior
Source: C:\Windows\System32\dialer.exe Window / User API: threadDelayed 1759 Jump to behavior
Source: C:\Windows\System32\winlogon.exe Window / User API: threadDelayed 1723 Jump to behavior
Source: C:\Windows\System32\winlogon.exe Window / User API: threadDelayed 8277 Jump to behavior
Source: C:\Windows\System32\lsass.exe Window / User API: threadDelayed 9214 Jump to behavior
Source: C:\Windows\System32\lsass.exe Window / User API: threadDelayed 698 Jump to behavior
Source: C:\Windows\System32\dwm.exe Window / User API: threadDelayed 9871 Jump to behavior
Found evasive API chain (may stop execution after accessing registry keys)
Source: C:\Windows\System32\lsass.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Source: C:\Windows\System32\svchost.exe Evasive API call chain: RegOpenKey,DecisionNodes,Sleep
Found evasive API chain checking for process token information
Source: C:\Windows\System32\dialer.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\System32\wbem\WmiPrvSE.exe API coverage: 4.9 %
Source: C:\Windows\System32\lsass.exe API coverage: 7.3 %
Source: C:\Windows\System32\svchost.exe API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe API coverage: 4.7 %
Source: C:\Windows\System32\svchost.exe API coverage: 5.1 %
Source: C:\Windows\System32\svchost.exe API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe API coverage: 4.4 %
Source: C:\Windows\System32\svchost.exe API coverage: 5.0 %
Source: C:\Windows\System32\svchost.exe API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe API coverage: 5.9 %
Source: C:\Windows\System32\svchost.exe API coverage: 4.9 %
Source: C:\Windows\System32\svchost.exe API coverage: 6.2 %
Source: C:\Windows\System32\svchost.exe API coverage: 7.1 %
Source: C:\Windows\System32\svchost.exe API coverage: 4.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7364 Thread sleep count: 5683 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7368 Thread sleep count: 4171 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7424 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7656 Thread sleep count: 248 > 30 Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 7656 Thread sleep time: -248000s >= -30000s Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 7828 Thread sleep count: 1759 > 30 Jump to behavior
Source: C:\Windows\System32\dialer.exe TID: 7828 Thread sleep time: -175900s >= -30000s Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 8092 Thread sleep count: 1723 > 30 Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 8092 Thread sleep time: -1723000s >= -30000s Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 8092 Thread sleep count: 8277 > 30 Jump to behavior
Source: C:\Windows\System32\winlogon.exe TID: 8092 Thread sleep time: -8277000s >= -30000s Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 8100 Thread sleep count: 9214 > 30 Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 8100 Thread sleep time: -9214000s >= -30000s Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 8100 Thread sleep count: 698 > 30 Jump to behavior
Source: C:\Windows\System32\lsass.exe TID: 8100 Thread sleep time: -698000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8108 Thread sleep count: 246 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8108 Thread sleep time: -246000s >= -30000s Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 8116 Thread sleep count: 9871 > 30 Jump to behavior
Source: C:\Windows\System32\dwm.exe TID: 8116 Thread sleep time: -9871000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8124 Thread sleep count: 253 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8124 Thread sleep time: -253000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8132 Thread sleep count: 254 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8132 Thread sleep time: -254000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8144 Thread sleep count: 254 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8144 Thread sleep time: -254000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8152 Thread sleep count: 248 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8152 Thread sleep time: -248000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8160 Thread sleep count: 196 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8160 Thread sleep time: -196000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8168 Thread sleep count: 253 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8168 Thread sleep time: -253000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8176 Thread sleep count: 242 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8176 Thread sleep time: -242000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8184 Thread sleep count: 249 > 30
Source: C:\Windows\System32\svchost.exe TID: 8184 Thread sleep time: -249000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4960 Thread sleep count: 252 > 30
Source: C:\Windows\System32\svchost.exe TID: 4960 Thread sleep time: -252000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2060 Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 2060 Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6016 Thread sleep count: 235 > 30
Source: C:\Windows\System32\svchost.exe TID: 6016 Thread sleep time: -235000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4348 Thread sleep count: 235 > 30
Source: C:\Windows\System32\svchost.exe TID: 4348 Thread sleep time: -235000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2128 Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 2128 Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 340 Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 340 Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 2860 Thread sleep count: 253 > 30
Source: C:\Windows\System32\svchost.exe TID: 2860 Thread sleep time: -253000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5228 Thread sleep count: 251 > 30
Source: C:\Windows\System32\svchost.exe TID: 5228 Thread sleep time: -251000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5800 Thread sleep count: 246 > 30
Source: C:\Windows\System32\svchost.exe TID: 5800 Thread sleep time: -246000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 4192 Thread sleep count: 234 > 30
Source: C:\Windows\System32\svchost.exe TID: 4192 Thread sleep time: -234000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3180 Thread sleep count: 248 > 30
Source: C:\Windows\System32\svchost.exe TID: 3180 Thread sleep time: -248000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5000 Thread sleep count: 233 > 30
Source: C:\Windows\System32\svchost.exe TID: 5000 Thread sleep time: -233000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6944 Thread sleep count: 250 > 30
Source: C:\Windows\System32\svchost.exe TID: 6944 Thread sleep time: -250000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Last function: Thread delayed
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\dialer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Windows\System32\lsass.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Code function: 3_2_000002C5CCF7DCE0 FindFirstFileExW, 3_2_000002C5CCF7DCE0
Source: C:\Windows\System32\winlogon.exe Code function: 22_2_00000225DC64DCE0 FindFirstFileExW, 22_2_00000225DC64DCE0
Source: C:\Windows\System32\lsass.exe Code function: 31_2_00000202C0AEDCE0 FindFirstFileExW, 31_2_00000202C0AEDCE0
Source: C:\Windows\System32\svchost.exe Code function: 32_2_000002A66130DCE0 FindFirstFileExW, 32_2_000002A66130DCE0
Source: C:\Windows\System32\dwm.exe Code function: 33_2_000002BAAEDDDCE0 FindFirstFileExW, 33_2_000002BAAEDDDCE0
Source: C:\Windows\System32\svchost.exe Code function: 34_2_0000026A879CDCE0 FindFirstFileExW, 34_2_0000026A879CDCE0
Source: C:\Windows\System32\svchost.exe Code function: 35_2_00000179537ADCE0 FindFirstFileExW, 35_2_00000179537ADCE0
Source: C:\Windows\System32\svchost.exe Code function: 36_2_000002295D56DCE0 FindFirstFileExW, 36_2_000002295D56DCE0
Source: C:\Windows\System32\svchost.exe Code function: 37_2_0000025306E6DCE0 FindFirstFileExW, 37_2_0000025306E6DCE0
Source: C:\Windows\System32\svchost.exe Code function: 38_2_000001845B3ADCE0 FindFirstFileExW, 38_2_000001845B3ADCE0
Source: C:\Windows\System32\svchost.exe Code function: 39_2_000001ADECD4DCE0 FindFirstFileExW, 39_2_000001ADECD4DCE0
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000001D55907DCE0 FindFirstFileExW, 40_2_000001D55907DCE0
Source: C:\Windows\System32\svchost.exe Code function: 41_2_00000241A9EADCE0 FindFirstFileExW, 41_2_00000241A9EADCE0
Source: C:\Windows\System32\svchost.exe Code function: 42_2_000001CD7319DCE0 FindFirstFileExW, 42_2_000001CD7319DCE0
Source: C:\Windows\System32\svchost.exe Code function: 43_2_000002824E89DCE0 FindFirstFileExW, 43_2_000002824E89DCE0
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000021B47B3DCE0 FindFirstFileExW, 44_2_0000021B47B3DCE0
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002087006DCE0 FindFirstFileExW, 45_2_000002087006DCE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\dialer.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Code function: 3_2_000002C5CCF7D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_000002C5CCF7D2A4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Code function: 3_2_000002C5CCF72F04 GetProcessHeap,HeapAlloc,StrCmpNIW,GetProcessHeap,HeapFree, 3_2_000002C5CCF72F04
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\dialer.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Code function: 3_2_000002C5CCF7D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_000002C5CCF7D2A4
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Code function: 3_2_000002C5CCF77D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_000002C5CCF77D90
Source: C:\Windows\System32\winlogon.exe Code function: 22_2_00000225DC647D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_00000225DC647D90
Source: C:\Windows\System32\winlogon.exe Code function: 22_2_00000225DC64D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_00000225DC64D2A4
Source: C:\Windows\System32\lsass.exe Code function: 31_2_00000202C0AED2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 31_2_00000202C0AED2A4
Source: C:\Windows\System32\lsass.exe Code function: 31_2_00000202C0AE7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 31_2_00000202C0AE7D90
Source: C:\Windows\System32\svchost.exe Code function: 32_2_000002A66130D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 32_2_000002A66130D2A4
Source: C:\Windows\System32\svchost.exe Code function: 32_2_000002A661307D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 32_2_000002A661307D90
Source: C:\Windows\System32\dwm.exe Code function: 33_2_000002BAAEDD7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 33_2_000002BAAEDD7D90
Source: C:\Windows\System32\dwm.exe Code function: 33_2_000002BAAEDDD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 33_2_000002BAAEDDD2A4
Source: C:\Windows\System32\svchost.exe Code function: 34_2_0000026A879CD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 34_2_0000026A879CD2A4
Source: C:\Windows\System32\svchost.exe Code function: 34_2_0000026A879C7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 34_2_0000026A879C7D90
Source: C:\Windows\System32\svchost.exe Code function: 35_2_00000179537A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 35_2_00000179537A7D90
Source: C:\Windows\System32\svchost.exe Code function: 35_2_00000179537AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 35_2_00000179537AD2A4
Source: C:\Windows\System32\svchost.exe Code function: 36_2_000002295D56D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 36_2_000002295D56D2A4
Source: C:\Windows\System32\svchost.exe Code function: 36_2_000002295D567D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 36_2_000002295D567D90
Source: C:\Windows\System32\svchost.exe Code function: 37_2_0000025306E6D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 37_2_0000025306E6D2A4
Source: C:\Windows\System32\svchost.exe Code function: 37_2_0000025306E67D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 37_2_0000025306E67D90
Source: C:\Windows\System32\svchost.exe Code function: 38_2_000001845B3AD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 38_2_000001845B3AD2A4
Source: C:\Windows\System32\svchost.exe Code function: 38_2_000001845B3A7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 38_2_000001845B3A7D90
Source: C:\Windows\System32\svchost.exe Code function: 39_2_000001ADECD47D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_000001ADECD47D90
Source: C:\Windows\System32\svchost.exe Code function: 39_2_000001ADECD4D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 39_2_000001ADECD4D2A4
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000001D55907D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 40_2_000001D55907D2A4
Source: C:\Windows\System32\svchost.exe Code function: 40_2_000001D559077D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 40_2_000001D559077D90
Source: C:\Windows\System32\svchost.exe Code function: 41_2_00000241A9EAD2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_00000241A9EAD2A4
Source: C:\Windows\System32\svchost.exe Code function: 41_2_00000241A9EA7D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 41_2_00000241A9EA7D90
Source: C:\Windows\System32\svchost.exe Code function: 42_2_000001CD7319D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 42_2_000001CD7319D2A4
Source: C:\Windows\System32\svchost.exe Code function: 42_2_000001CD73197D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 42_2_000001CD73197D90
Source: C:\Windows\System32\svchost.exe Code function: 43_2_000002824E897D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 43_2_000002824E897D90
Source: C:\Windows\System32\svchost.exe Code function: 43_2_000002824E89D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 43_2_000002824E89D2A4
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000021B47B3D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 44_2_0000021B47B3D2A4
Source: C:\Windows\System32\svchost.exe Code function: 44_2_0000021B47B37D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 44_2_0000021B47B37D90
Source: C:\Windows\System32\svchost.exe Code function: 45_2_0000020870067D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 45_2_0000020870067D90
Source: C:\Windows\System32\svchost.exe Code function: 45_2_000002087006D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 45_2_000002087006D2A4

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\winlogon.exe base: 225DC610000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\lsass.exe base: 202C0AB0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 2A6612D0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\dwm.exe base: 2BAAEDA0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 26A87990000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 17953770000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 2295D530000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 253067D0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1845B370000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1D559040000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 241A9E70000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1CD73160000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 2824E860000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 21B473C0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 2086F9D0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 17183BC0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 23FD3F70000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1D2A4150000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 275BDF30000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1AAC0260000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 203C9F30000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1B5644B0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1C004F60000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 24E2AB40000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 2644ADB0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\spoolsv.exe base: 1990000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 20D25DA0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 26EF5350000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 2A7F0D60000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 23D0FFB0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1B1C2570000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 2108B910000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 29166930000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1988D570000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 13869B40000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1E1CC740000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 2855DA70000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 2BF199D0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 15AF3890000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 21A03B80000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\sihost.exe base: 1CD40E40000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 151A6530000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 19E29D00000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 17D7B150000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1BE621A0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 2252F480000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 184683D0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\explorer.exe base: 1380000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1972E260000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\dasHost.exe base: 2246C5E0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 221D5930000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1A633B40000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 2928D0A0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\smartscreen.exe base: 1A22A640000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 21C6CF30000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\audiodg.exe base: 1D349350000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23B60D90000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 1F22F7C0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 241096C0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 28E722F0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 19168E00000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\dllhost.exe base: 28D91BB0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\conhost.exe base: 26F19AF0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B647730000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1E58CC00000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 287EAEC0000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\svchost.exe base: 2360AE70000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2C5CCF40000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Program Files\Windows Defender\MpCmdRun.exe base: 20B1BA90000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\conhost.exe base: 27C60030000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 26DC7740000 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory allocated: C:\Windows\System32\wbem\WMIADAP.exe base: 26DC7770000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\dialer.exe Code function: 17_2_0000000140001C88 CreateProcessW,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAlloc,GetThreadContext,WriteProcessMemory,SetThreadContext,ResumeThread,OpenProcess,TerminateProcess, 17_2_0000000140001C88
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\winlogon.exe EIP: DC61273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\lsass.exe EIP: C0AB273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 612D273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\dwm.exe EIP: AEDA273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 8799273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5377273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5D53273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 67D273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5B37273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: EBFD273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 5904273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: A9E7273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 7316273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 4E86273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 473C273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 6F9D273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 83BC273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: D3F7273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: A415273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: BDF3273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: C026273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: C9F3273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 644B273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 7B2A273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\svchost.exe EIP: 4F6273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 2AB4273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 4ADB273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 199273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 25DA273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: F535273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: F0D6273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: FFB273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: C257273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 8B91273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 6693273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 13EF273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 8D57273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 69B4273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: CC74273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 5DA7273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 199D273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: F389273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 3B8273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 40E4273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: A653273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 29D0273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 7B15273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 621A273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 2F48273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 8B4B273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 683D273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 138273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 2E26273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 6C5E273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: D593273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: FC69273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 7897273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 33B4273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 8D0A273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: AB4C273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 2A64273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 6CF3273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 641A273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 4935273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 60D9273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 5E7B273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 2F7C273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: E815273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 5234273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 9DA9273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 602E273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 96C273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 722F273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 68E0273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 91BB273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 19AF273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 4773273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 8CC0273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: EAEC273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: AE7273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: CCF4273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: C:\Windows\System32\conhost.exe EIP: 1BA9273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: 6003273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: C774273C Jump to behavior
Source: C:\Windows\System32\dialer.exe Thread created: unknown EIP: C777273C Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 17953770000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1845B370000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5644B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2108B910000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 29166930000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 19E29D00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\explorer.exe base: 1380000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D90000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 241096C0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 28E722F0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 19168E00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\dllhost.exe base: 28D91BB0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\conhost.exe base: 26F19AF0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B647730000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1E58CC00000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 287EAEC0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2360AE70000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2C5CCF40000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 20B1BA90000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\conhost.exe base: 27C60030000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26DC7740000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26DC7770000 value starts with: 4D5A Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\dialer.exe Memory written: PID: 2580 base: 1380000 value: 4D Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Thread register set: target process: 7824 Jump to behavior
Modifies the hosts file
Source: C:\Users\user\Desktop\whrbuflqwhah.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\winlogon.exe base: 225DC610000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\lsass.exe base: 202C0AB0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2A6612D0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\dwm.exe base: 2BAAEDA0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 26A87990000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 17953770000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2295D530000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 253067D0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1845B370000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1ADEBFD0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1D559040000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 241A9E70000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1CD73160000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2824E860000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 21B473C0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2086F9D0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 17183BC0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 23FD3F70000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1D2A4150000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 275BDF30000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1AAC0260000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 203C9F30000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1B5644B0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1BB7B2A0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1C004F60000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 24E2AB40000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2644ADB0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\spoolsv.exe base: 1990000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 20D25DA0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 26EF5350000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2A7F0D60000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 23D0FFB0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1B1C2570000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2108B910000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 29166930000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe base: 21C13EF0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1988D570000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 13869B40000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1E1CC740000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2855DA70000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2BF199D0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 15AF3890000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 21A03B80000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\sihost.exe base: 1CD40E40000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 151A6530000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 19E29D00000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 17D7B150000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1BE621A0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2252F480000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\ctfmon.exe base: 1F28B4B0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 184683D0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\explorer.exe base: 1380000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1972E260000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\dasHost.exe base: 2246C5E0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 221D5930000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC690000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1D178970000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1A633B40000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2928D0A0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\dllhost.exe base: 13DAB4C0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\smartscreen.exe base: 1A22A640000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 21C6CF30000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 1EF641A0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\audiodg.exe base: 1D349350000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 23B60D90000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2135E7B0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 1F22F7C0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\ApplicationFrameHost.exe base: 1F6E8150000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 20C52340000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\ImmersiveControlPanel\SystemSettings.exe base: 2589DA90000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\oobe\UserOOBEBroker.exe base: 1F5602E0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 241096C0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 28E722F0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 19168E00000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\dllhost.exe base: 28D91BB0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\conhost.exe base: 26F19AF0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1B647730000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1E58CC00000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\RuntimeBroker.exe base: 287EAEC0000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\svchost.exe base: 2360AE70000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\wbem\WmiPrvSE.exe base: 2C5CCF40000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Program Files\Windows Defender\MpCmdRun.exe base: 20B1BA90000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\conhost.exe base: 27C60030000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26DC7740000 Jump to behavior
Source: C:\Windows\System32\dialer.exe Memory written: C:\Windows\System32\wbem\WMIADAP.exe base: 26DC7770000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\whrbuflqwhah.exe Process created: C:\Windows\System32\dialer.exe C:\Windows\system32\dialer.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wusa.exe wusa /uninstall /kb:890830 /quiet /norestart Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3 Jump to behavior
Source: C:\Windows\System32\dialer.exe Code function: 17_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 17_2_0000000140001B54
Source: C:\Windows\System32\dialer.exe Code function: 17_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 17_2_0000000140001B54
Source: winlogon.exe, 00000016.00000002.3090792452.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000000.1723155542.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000016.00000002.3090792452.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000000.1723155542.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: winlogon.exe, 00000016.00000002.3090792452.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000000.1723155542.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: winlogon.exe, 00000016.00000002.3090792452.00000225DCB71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000016.00000000.1723155542.00000225DCB70000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Code function: 3_2_000002C5CCF536F0 cpuid 3_2_000002C5CCF536F0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\dialer.exe Code function: 17_2_0000000140001B54 AllocateAndInitializeSid,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeW, 17_2_0000000140001B54
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Code function: 3_2_000002C5CCF77960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_000002C5CCF77960

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\whrbuflqwhah.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1538050 Sample: whrbuflqwhah.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for submitted file 2->45 47 Sigma detected: Stop EventLog 2->47 49 Hooks registry keys query functions (used to hide registry keys) 2->49 51 5 other signatures 2->51 7 whrbuflqwhah.exe 1 2 2->7         started        11 whrbuflqwhah.exe 2->11         started        process3 file4 41 C:\ProgramData\...\whrbuflqwhah.exe, PE32+ 7->41 dropped 43 C:\Windows\System32\drivers\etc\hosts, ASCII 7->43 dropped 55 Self deletion via cmd or bat file 7->55 57 Modifies the context of a thread in another process (thread injection) 7->57 59 Modifies the hosts file 7->59 61 Adds a directory exclusion to Windows Defender 7->61 13 dialer.exe 1 7->13         started        16 powershell.exe 23 7->16         started        18 cmd.exe 1 7->18         started        20 10 other processes 7->20 63 Multi AV Scanner detection for dropped file 11->63 signatures5 process6 signatures7 65 Injects code into the Windows Explorer (explorer.exe) 13->65 67 Contains functionality to inject code into remote processes 13->67 69 Writes to foreign memory regions 13->69 73 4 other signatures 13->73 22 lsass.exe 13->22 injected 25 dwm.exe 13->25 injected 27 winlogon.exe 13->27 injected 35 22 other processes 13->35 71 Loading BitLocker PowerShell Module 16->71 29 WmiPrvSE.exe 16->29         started        31 conhost.exe 16->31         started        37 2 other processes 18->37 33 conhost.exe 20->33         started        39 10 other processes 20->39 process8 signatures9 53 Installs new ROOT certificates 22->53
No contacted IP infos

Contacted Domains

Name IP Active
fp2e7a.wpc.phicdn.net 192.229.221.95 true