Windows Analysis Report
SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe
Analysis ID: 1467092
MD5: 7691d7d1f5928448074900950ff80ec7
SHA1: 65025ed3950eca0eb5c253bfcad472f969dc2177
SHA256: bab017ca2aa472dc3b0370dba0bd356939a62947f4ff83ef4810a70a68fab1df
Tags: exe
Infos:

Detection

RHADAMANTHYS
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RHADAMANTHYS Stealer
AI detected suspicious sample
Allocates memory in foreign processes
Found many strings related to Crypto-Wallets (likely being stolen)
Sigma detected: Potentially Suspicious Malware Callback Communication
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Dllhost Internet Connection
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

Name Description Attribution Blogpost URLs Link
Rhadamanthys According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
 https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.4% probability
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: kernel32.pdbUGP source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073301415.0000028A00850000.00000004.00000001.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073360622.0000028A00910000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075692995.000001696D050000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075629839.000001696CF90000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdbUGP source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073514166.0000028A00850000.00000004.00000001.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073704673.0000028A00B30000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075804118.000001696CF90000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075999920.000001696D270000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073091575.0000028A00A40000.00000004.00000001.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2072945441.0000028A00850000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075446574.000001696D180000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075164420.000001696CF90000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: OpenWith.exe, 00000002.00000003.2166148051.000001696D2DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073091575.0000028A00A40000.00000004.00000001.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2072945441.0000028A00850000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075446574.000001696D180000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075164420.000001696CF90000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073301415.0000028A00850000.00000004.00000001.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073360622.0000028A00910000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075692995.000001696D050000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075629839.000001696CF90000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: lfons\AppData\Local\Temp\Symbols\winload_prod.pdb source: OpenWith.exe, 00000002.00000003.2166148051.000001696D2D5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: wmplayer.exe, 00000004.00000003.2291244045.000001E29B530000.00000004.00000001.00020000.00000000.sdmp, wmplayer.exe, 00000004.00000003.2291272850.000001E29B750000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: win32u.pdbGCTL source: wmplayer.exe, 00000004.00000003.2291244045.000001E29B530000.00000004.00000001.00020000.00000000.sdmp, wmplayer.exe, 00000004.00000003.2291272850.000001E29B750000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073514166.0000028A00850000.00000004.00000001.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073704673.0000028A00B30000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075804118.000001696CF90000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075999920.000001696D270000.00000004.00000001.00020000.00000000.sdmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Windows\System32\OpenWith.exe Directory queried: number of queries: 1001
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4x nop then ret 4_2_000001E29B43108E
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4x nop then dec esp 4_2_000001E29B435641

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2854802 ETPRO TROJAN Suspected Rhadamanthys Related SSL Cert 91.92.250.172:4433 -> 192.168.2.5:49705
Source: Traffic Snort IDS: 2854802 ETPRO TROJAN Suspected Rhadamanthys Related SSL Cert 91.92.250.172:4433 -> 192.168.2.5:49706
Source: Traffic Snort IDS: 2854802 ETPRO TROJAN Suspected Rhadamanthys Related SSL Cert 91.92.250.172:4433 -> 192.168.2.5:49714
Source: Traffic Snort IDS: 2854802 ETPRO TROJAN Suspected Rhadamanthys Related SSL Cert 91.92.250.172:6015 -> 192.168.2.5:49715
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 91.92.250.172:4433
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: THEZONEBG THEZONEBG
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: servicehost.org
Source: OpenWith.exe, 00000002.00000003.2168569073.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2168693807.000001696D9ED000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2167995542.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: OpenWith.exe, 00000002.00000003.2168569073.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2168693807.000001696D9ED000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2167995542.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OpenWith.exe, 00000002.00000003.2168569073.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2168693807.000001696D9ED000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2167995542.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OpenWith.exe, 00000002.00000003.2168569073.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2168693807.000001696D9ED000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2167995542.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: OpenWith.exe, 00000002.00000003.2169206679.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2168569073.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2167995542.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: OpenWith.exe, 00000002.00000003.2169206679.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2168569073.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2167995542.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: OpenWith.exe, 00000002.00000003.2168569073.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2167995542.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: wmplayer.exe, 00000004.00000002.3277729550.000001E29B826000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://servicehost.org:4433/2a714e8b4eb18f2b2/Exploit
Source: OpenWith.exe, 00000002.00000003.2168569073.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2168693807.000001696D9ED000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2167995542.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: OpenWith.exe, 00000002.00000003.2168569073.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2168693807.000001696D9ED000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2167995542.000001696D9EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Creates a DirectInput object (often for capturing keystrokes)
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073514166.0000028A00850000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DirectInput8Create memstr_cac679b0-9
Installs a raw input device (often for capturing keystrokes)
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073514166.0000028A00850000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_5d09a1bb-d
Yara detected Keylogger Generic
Source: Yara match File source: 0.3.SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe.28a00b30000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe.28a00b30000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.OpenWith.exe.1696d270000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.OpenWith.exe.1696cf90000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe.28a00850000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe.28a00850000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.3.OpenWith.exe.1696cf90000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.2075804118.000001696CF90000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2073704673.0000028A00B30000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2075999920.000001696D270000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2073514166.0000028A00850000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe PID: 5508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OpenWith.exe PID: 6468, type: MEMORYSTR
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A000151B4 NtQueryInformationProcess, 0_3_0000028A000151B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A000156A8 NtQuerySystemInformation,NtQuerySystemInformation,GetTokenInformation,FindCloseChangeNotification,FindCloseChangeNotification, 0_3_0000028A000156A8
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_000001696C6E30C7 RtlAllocateHeap,RtlAllocateHeap,_calloc_dbg,NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,RtlDeleteBoundaryDescriptor,RtlDeleteBoundaryDescriptor, 2_3_000001696C6E30C7
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0D1CE8 _calloc_dbg,CreateProcessW,NtResumeThread,FindCloseChangeNotification,??3@YAXPEAX@Z, 4_3_00007DF41D0D1CE8
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0D1958 _calloc_dbg,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 4_3_00007DF41D0D1958
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B4428E8 NtAcceptConnectPort, 4_2_000001E29B4428E8
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B4428B8 NtAcceptConnectPort, 4_2_000001E29B4428B8
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B442990 NtAcceptConnectPort, 4_2_000001E29B442990
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B4427B8 NtAcceptConnectPort, 4_2_000001E29B4427B8
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B44288C NtAcceptConnectPort, 4_2_000001E29B44288C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B44252C NtAcceptConnectPort, 4_2_000001E29B44252C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B442418 NtAcceptConnectPort, 4_2_000001E29B442418
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B442C64 NtAcceptConnectPort, 4_2_000001E29B442C64
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B4429D4 NtAcceptConnectPort, 4_2_000001E29B4429D4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_00007DF41D0D199C NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory, 4_2_00007DF41D0D199C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_00007DF41D0D1E64 CreateProcessW,NtResumeThread,FindCloseChangeNotification, 4_2_00007DF41D0D1E64
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_00007DF41D0E2704 NtQuerySystemInformation,_malloc_dbg,NtQuerySystemInformation, 4_2_00007DF41D0E2704
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB03385C NtQuerySystemInformation, 5_2_0000021DDB03385C
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_00007FF6CC9B18D7 0_3_00007FF6CC9B18D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A00014A54 0_3_0000028A00014A54
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A00015BC0 0_3_0000028A00015BC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A00019FFC 0_3_0000028A00019FFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A00018A58 0_3_0000028A00018A58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A00013CEC 0_3_0000028A00013CEC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A00011500 0_3_0000028A00011500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A00012F00 0_3_0000028A00012F00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A0001870C 0_3_0000028A0001870C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A0001710C 0_3_0000028A0001710C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A00023E95 0_3_0000028A00023E95
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_000001696AC50967 2_3_000001696AC50967
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_000001696C6E5E7C 2_3_000001696C6E5E7C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_000001696C6E24F7 2_3_000001696C6E24F7
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_000001696C6E58FC 2_3_000001696C6E58FC
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_000001696C6E1BA6 2_3_000001696C6E1BA6
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_000001696C6E279C 2_3_000001696C6E279C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_000001696C6E557C 2_3_000001696C6E557C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_000001696C6E4A38 2_3_000001696C6E4A38
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_000001696C6E2C3C 2_3_000001696C6E2C3C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_000001E29B541F40 4_3_000001E29B541F40
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_000001E29B54027B 4_3_000001E29B54027B
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_000001E29B542718 4_3_000001E29B542718
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_000001E29B54170E 4_3_000001E29B54170E
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_000001E29B543660 4_3_000001E29B543660
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0D2204 4_3_00007DF41D0D2204
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0D4EFC 4_3_00007DF41D0D4EFC
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0D392C 4_3_00007DF41D0D392C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0B60A5 4_3_00007DF41D0B60A5
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0A54C0 4_3_00007DF41D0A54C0
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0B50D6 4_3_00007DF41D0B50D6
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0B58F8 4_3_00007DF41D0B58F8
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0B6927 4_3_00007DF41D0B6927
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0ABD49 4_3_00007DF41D0ABD49
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0AF149 4_3_00007DF41D0AF149
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0B3D3B 4_3_00007DF41D0B3D3B
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0B7554 4_3_00007DF41D0B7554
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0A4F8A 4_3_00007DF41D0A4F8A
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0A83BA 4_3_00007DF41D0A83BA
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0ADFEB 4_3_00007DF41D0ADFEB
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0A8C19 4_3_00007DF41D0A8C19
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0B5456 4_3_00007DF41D0B5456
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0B5AB2 4_3_00007DF41D0B5AB2
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0B2F24 4_3_00007DF41D0B2F24
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0B6F4A 4_3_00007DF41D0B6F4A
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0B0F5A 4_3_00007DF41D0B0F5A
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0B6B5B 4_3_00007DF41D0B6B5B
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0AA5A5 4_3_00007DF41D0AA5A5
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0B21C7 4_3_00007DF41D0B21C7
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0AC5C4 4_3_00007DF41D0AC5C4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0B71FE 4_3_00007DF41D0B71FE
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0B5227 4_3_00007DF41D0B5227
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_3_00007DF41D0B7A58 4_3_00007DF41D0B7A58
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B432628 4_2_000001E29B432628
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B442D24 4_2_000001E29B442D24
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B43C25C 4_2_000001E29B43C25C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B465918 4_2_000001E29B465918
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B4648D0 4_2_000001E29B4648D0
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B450174 4_2_000001E29B450174
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B46E984 4_2_000001E29B46E984
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B46F940 4_2_000001E29B46F940
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B44D010 4_2_000001E29B44D010
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B46A81C 4_2_000001E29B46A81C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B470874 4_2_000001E29B470874
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B457094 4_2_000001E29B457094
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B45D854 4_2_000001E29B45D854
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B453EA4 4_2_000001E29B453EA4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B44BEB8 4_2_000001E29B44BEB8
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B4586B4 4_2_000001E29B4586B4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B465EC8 4_2_000001E29B465EC8
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B463F70 4_2_000001E29B463F70
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B446F24 4_2_000001E29B446F24
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B44C750 4_2_000001E29B44C750
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B464DE8 4_2_000001E29B464DE8
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B44F618 4_2_000001E29B44F618
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B4655B0 4_2_000001E29B4655B0
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B4695D4 4_2_000001E29B4695D4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B457684 4_2_000001E29B457684
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B46ECE4 4_2_000001E29B46ECE4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B44DCE4 4_2_000001E29B44DCE4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B456D18 4_2_000001E29B456D18
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B4314D0 4_2_000001E29B4314D0
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B470D90 4_2_000001E29B470D90
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B46CC00 4_2_000001E29B46CC00
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B460478 4_2_000001E29B460478
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B476434 4_2_000001E29B476434
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B445ADC 4_2_000001E29B445ADC
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B44E398 4_2_000001E29B44E398
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B46F1D0 4_2_000001E29B46F1D0
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B470270 4_2_000001E29B470270
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B447270 4_2_000001E29B447270
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B463A38 4_2_000001E29B463A38
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B464A50 4_2_000001E29B464A50
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B473A4D 4_2_000001E29B473A4D
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_00007DF41D0D22CC 4_2_00007DF41D0D22CC
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB048980 5_2_0000021DDB048980
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB049998 5_2_0000021DDB049998
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB053210 5_2_0000021DDB053210
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB052254 5_2_0000021DDB052254
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB0370EA 5_2_0000021DDB0370EA
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB054144 5_2_0000021DDB054144
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB0427A4 5_2_0000021DDB0427A4
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB03BFE4 5_2_0000021DDB03BFE4
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB036FF8 5_2_0000021DDB036FF8
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB049818 5_2_0000021DDB049818
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB04A860 5_2_0000021DDB04A860
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB048EB8 5_2_0000021DDB048EB8
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB04F76C 5_2_0000021DDB04F76C
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB0525B4 5_2_0000021DDB0525B4
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB03C5D4 5_2_0000021DDB03C5D4
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB038DF4 5_2_0000021DDB038DF4
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB03D604 5_2_0000021DDB03D604
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB061E08 5_2_0000021DDB061E08
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB04AE10 5_2_0000021DDB04AE10
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB054660 5_2_0000021DDB054660
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB05C668 5_2_0000021DDB05C668
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB04A4F8 5_2_0000021DDB04A4F8
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB05C500 5_2_0000021DDB05C500
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB04E51C 5_2_0000021DDB04E51C
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB049D30 5_2_0000021DDB049D30
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB0453C8 5_2_0000021DDB0453C8
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB03BC68 5_2_0000021DDB03BC68
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB052AA0 5_2_0000021DDB052AA0
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB053B40 5_2_0000021DDB053B40
Source: C:\Windows\System32\dllhost.exe Code function: 5_2_0000021DDB03737C 5_2_0000021DDB03737C
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Binary or memory string: OriginalFilename vs SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000000.2038878983.00007FF6CC9CD000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename4 vs SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073360622.0000028A009CB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073091575.0000028A00BC6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073514166.0000028A00850000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKernelbase.dllj% vs SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073301415.0000028A00850000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073301415.0000028A00850000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2072945441.0000028A009C8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073360622.0000028A00910000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073704673.0000028A00DC5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKernelbase.dllj% vs SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Binary or memory string: OriginalFilename4 vs SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe
Source: classification engine Classification label: mal100.troj.spyw.winEXE@7/0@1/1
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B432628 CreateToolhelp32Snapshot,Thread32First,Thread32Next,FindCloseChangeNotification,SuspendThread, 4_2_000001E29B432628
Source: C:\Windows\System32\OpenWith.exe Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
Source: C:\Windows\System32\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: OpenWith.exe, 00000002.00000003.2146132400.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2151701654.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2173999560.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2162730362.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2172221902.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2144743517.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2168919912.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2145943011.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2166530938.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2178284141.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2141380788.000001696D364000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: OpenWith.exe, 00000002.00000003.2146132400.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2151701654.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2173999560.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2162730362.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2172221902.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2144743517.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2168919912.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2145943011.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2166530938.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2178284141.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2141380788.000001696D364000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: OpenWith.exe, 00000002.00000003.2146132400.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2151701654.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2173999560.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2162730362.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2172221902.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2144743517.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2168919912.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2145943011.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2166530938.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2178284141.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2141380788.000001696D364000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: OpenWith.exe, 00000002.00000003.2146132400.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2151701654.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2173999560.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2162730362.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2172221902.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2144743517.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2168919912.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2145943011.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2166530938.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2178284141.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2141380788.000001696D364000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: OpenWith.exe, 00000002.00000003.2146132400.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2151701654.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2173999560.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2162730362.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2172221902.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2144743517.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2168919912.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2145943011.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2166530938.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2178284141.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2141380788.000001696D364000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: OpenWith.exe, 00000002.00000003.2146132400.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2151701654.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2173999560.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2162730362.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2172221902.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2144743517.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2168919912.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2145943011.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2166530938.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2178284141.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2141380788.000001696D364000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: OpenWith.exe, 00000002.00000003.2173382185.000001696D9F3000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2169206679.000001696D9E8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2168693807.000001696DA23000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2168919912.000001696DA23000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2172949995.000001696DB63000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: OpenWith.exe, 00000002.00000003.2146132400.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2151701654.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2173999560.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2162730362.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2172221902.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2144743517.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2168919912.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2145943011.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2166530938.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2178284141.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2141380788.000001696D364000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe"
Source: C:\Program Files\Windows Media Player\wmplayer.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe" Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wudfplatform.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook Jump to behavior
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: kernel32.pdbUGP source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073301415.0000028A00850000.00000004.00000001.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073360622.0000028A00910000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075692995.000001696D050000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075629839.000001696CF90000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdbUGP source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073514166.0000028A00850000.00000004.00000001.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073704673.0000028A00B30000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075804118.000001696CF90000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075999920.000001696D270000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073091575.0000028A00A40000.00000004.00000001.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2072945441.0000028A00850000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075446574.000001696D180000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075164420.000001696CF90000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: OpenWith.exe, 00000002.00000003.2166148051.000001696D2DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073091575.0000028A00A40000.00000004.00000001.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2072945441.0000028A00850000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075446574.000001696D180000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075164420.000001696CF90000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernel32.pdb source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073301415.0000028A00850000.00000004.00000001.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073360622.0000028A00910000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075692995.000001696D050000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075629839.000001696CF90000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: lfons\AppData\Local\Temp\Symbols\winload_prod.pdb source: OpenWith.exe, 00000002.00000003.2166148051.000001696D2D5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: wmplayer.exe, 00000004.00000003.2291244045.000001E29B530000.00000004.00000001.00020000.00000000.sdmp, wmplayer.exe, 00000004.00000003.2291272850.000001E29B750000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: win32u.pdbGCTL source: wmplayer.exe, 00000004.00000003.2291244045.000001E29B530000.00000004.00000001.00020000.00000000.sdmp, wmplayer.exe, 00000004.00000003.2291272850.000001E29B750000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: kernelbase.pdb source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073514166.0000028A00850000.00000004.00000001.00020000.00000000.sdmp, SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe, 00000000.00000003.2073704673.0000028A00B30000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075804118.000001696CF90000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2075999920.000001696D270000.00000004.00000001.00020000.00000000.sdmp
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Static PE information: section name: .textbss
Source: SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_00007FF6CC9B59E3 push esi; retf 0_3_00007FF6CC9B59E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_00007FF6CC9B35EC push esi; ret 0_3_00007FF6CC9B35ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_00007FF6CC9B17D5 push cs; ret 0_3_00007FF6CC9B18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_00007FF6CC9B4427 pushad ; ret 0_3_00007FF6CC9B4428
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_00007FF6CC9B6C12 push edx; retf 0_3_00007FF6CC9B6C26
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_00007FF6CC9B220B push eax; iretd 0_3_00007FF6CC9B2224
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_00007FF6CC9B62E3 push ebx; ret 0_3_00007FF6CC9B62E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_00007FF6CC9B5ED9 push esi; ret 0_3_00007FF6CC9B5EDD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_00007FF6CC9B48BE push eax; retf 0_3_00007FF6CC9B48BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_00007FF6CC9B40F7 push eax; ret 0_3_00007FF6CC9B40FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_00007FF6CC9B430B push eax; retf 0_3_00007FF6CC9B430C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_00007FF6CC9B1865 push cs; ret 0_3_00007FF6CC9B18C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_00007FF6CC9B5643 push eax; retf 0_3_00007FF6CC9B5645
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_00007FF6CC9B4EB2 pushad ; retf 0_3_00007FF6CC9B4EB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A0001C219 pushad ; retf 0_3_0000028A0001C221
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A00028560 push ds; retf 0_3_0000028A00028577
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A00025C06 push esi; ret 0_3_0000028A00025C07
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A0002B627 push ebp; iretd 0_3_0000028A0002B628
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A00023E70 push ebp; retf 0_3_0000028A00023E94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A00023E95 push ebp; retf 0_3_0000028A00023E94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A000274C6 push esi; ret 0_3_0000028A000274CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A0002BACB pushad ; iretd 0_3_0000028A00352EB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A000256D9 push ecx; ret 0_3_0000028A00025700
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A00024B35 push ss; iretd 0_3_0000028A0031919F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_2_00007FF6CC9593E6 push 3C95CC23h; iretd 0_2_00007FF6CC9593EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_2_00007FF6CC95A778 pushfq ; iretd 0_2_00007FF6CC95A779
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_2_00007FF6CC954918 push rsi; retf 0_2_00007FF6CC954923
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_2_00007FF6CC9596B5 push FFFFFF81h; retf 0_2_00007FF6CC9596B7
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_000001696AC53F42 pushad ; retf 2_3_000001696AC53F43
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_000001696AC546D3 push eax; retf 2_3_000001696AC546D5
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_000001696AC508F5 push cs; ret 2_3_000001696AC50954
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality to query network adapater information
Source: C:\Windows\System32\dllhost.exe Code function: GetAdaptersInfo, 5_2_0000021DDB032AC4
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_3_0000028A00014FD4 GetSystemInfo, 0_3_0000028A00014FD4
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Adobe\Acrobat Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: OpenWith.exe, 00000002.00000003.2143323189.000001696CF4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkmbolicLinkSymbolicLink
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: OpenWith.exe, 00000002.00000003.2143323189.000001696CF4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkLinkcLinkSymbolicLink
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: wmplayer.exe, 00000004.00000002.3277503574.000001E29B587000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 00000005.00000002.3277318260.0000021DDB11A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: dllhost.exe, 00000005.00000002.3277318260.0000021DDB11A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: OpenWith.exe, 00000002.00000003.2075999920.000001696D270000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: OpenWith.exe, 00000002.00000003.2075999920.000001696D270000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: OpenWith.exe, 00000002.00000003.2171302580.000001696DA1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Process information queried: ProcessInformation Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Program Files\Windows Media Player\wmplayer.exe Memory allocated: C:\Windows\System32\dllhost.exe base: 21DDB030000 protect: page read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Program Files\Windows Media Player\wmplayer.exe Memory written: C:\Windows\System32\dllhost.exe base: 21DDB030000 Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Memory written: C:\Windows\System32\dllhost.exe base: 7FF6698214E0 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe" Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B43CDF4 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 4_2_000001E29B43CDF4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe Code function: 0_2_00007FF6CC9A615C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF6CC9A615C
Source: C:\Windows\System32\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 00000000.00000003.2072119815.0000028A00000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2162730362.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2146132400.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2152607598.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2172221902.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2144743517.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2173999560.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2160604237.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2151701654.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2168919912.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2145943011.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2143914701.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2074250320.0000028A00011000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2156804131.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2166530938.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2149150890.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2162510756.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2153389081.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2178284141.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2144420099.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2158433515.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2155578371.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2160318605.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2158989228.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2168693807.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2161695796.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2147712177.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2170089401.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2155772326.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2149741241.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2158123556.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2163534539.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2177149426.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2156620245.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2173760062.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2168258050.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2170716518.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2151370818.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2161419525.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2149327727.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2159254038.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2160077344.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2161993900.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2157000461.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2145568055.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2148023665.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2156429560.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2147540781.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2157257186.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2155023843.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2167528754.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2147111279.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2160876076.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2153076808.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2154545113.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2153930987.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2157484419.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2154778492.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2161146099.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2150322070.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2169206679.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2159533104.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2177711934.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2159774834.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2147354231.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2155990457.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2179330379.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2074402005.000001696ACE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2146350943.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2163727757.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2169561570.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2168435601.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2156237400.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2158714760.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2146569417.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2146928114.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2153718645.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2173044127.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2145186850.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2167868673.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2157801248.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2154177761.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2143147524.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2173382185.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2155295704.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2148943136.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2143652418.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2143467189.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: OpenWith.exe, 00000002.00000003.2169367956.000001696CF6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Data%\Qtum-Electrum\config
Source: OpenWith.exe, 00000002.00000003.2172654033.000001696CF27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\ElectronCash\config
Source: OpenWith.exe, 00000002.00000003.2172654033.000001696CF3F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\com.liberty.jaxx
Source: OpenWith.exe, 00000002.00000003.2172791367.000001696CF38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: OpenWith.exe, 00000002.00000003.2172791367.000001696CF38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Exodus
Source: OpenWith.exe, 00000002.00000003.2172654033.000001696CF27000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Coinomi\Coinomi\wallets
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\031db23f-f53a-4d6b-b429-cd0302ef56d3 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6490c938-fe3f-48ae-bc5e-e1986298f7c1 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\safebrowsing Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Monochrome Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\a5f61848-f128-4a80-965b-a3000feed295 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\startupCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Monochrome Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\settings\main Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\trash4675 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\settings\main\ms-language-packs\browser\newtab Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\safebrowsing\google4 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\entries Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Monochrome Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\58ef9818-5ea1-49a0-b5b0-9338401a7943 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\thumbnails Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Monochrome Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cache2\doomed Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons Monochrome Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\yiaxs5ej.default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Monochrome Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\settings\main\ms-language-packs\browser Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\v6zchhhv.default-release\settings\main\ms-language-packs Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons Maskable Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Searches for user specific document files
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\AQRFEVRTGL Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\LFOPODGVOH Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP Jump to behavior
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Windows\System32\OpenWith.exe Directory queried: number of queries: 1001
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000003.2178047810.000001696CF53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2171203616.000001696CF4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2172654033.000001696CF4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2172791367.000001696CF4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OpenWith.exe PID: 6468, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 00000000.00000003.2072119815.0000028A00000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2162730362.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2146132400.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2152607598.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2172221902.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2144743517.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2173999560.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2160604237.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2151701654.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2168919912.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2145943011.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2143914701.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2074250320.0000028A00011000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2156804131.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2166530938.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2149150890.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2162510756.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2153389081.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2178284141.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2144420099.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2158433515.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2155578371.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2160318605.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2158989228.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2168693807.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2161695796.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2147712177.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2170089401.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2155772326.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2149741241.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2158123556.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2163534539.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2177149426.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2156620245.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2173760062.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2168258050.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2170716518.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2151370818.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2161419525.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2149327727.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2159254038.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2160077344.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2161993900.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2157000461.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2145568055.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2148023665.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2156429560.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2147540781.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2157257186.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2155023843.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2167528754.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2147111279.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2160876076.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2153076808.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2154545113.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2153930987.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2157484419.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2154778492.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2161146099.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2150322070.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2169206679.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2159533104.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2177711934.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2159774834.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2147354231.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2155990457.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2179330379.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2074402005.000001696ACE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2146350943.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2163727757.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2169561570.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2168435601.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2156237400.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2158714760.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2146569417.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2146928114.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2153718645.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2173044127.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2145186850.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2167868673.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2157801248.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2154177761.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2143147524.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2173382185.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2155295704.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2148943136.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2143652418.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2143467189.000001696DA2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4_2_000001E29B43CDF4 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 4_2_000001E29B43CDF4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467092 Sample: SecuriteInfo.com.Win64.Evo-... Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 20 servicehost.org 2->20 24 Snort IDS alert for network traffic 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Yara detected RHADAMANTHYS Stealer 2->28 30 2 other signatures 2->30 9 SecuriteInfo.com.Win64.Evo-gen.8364.21532.exe 1 2->9         started        signatures3 process4 process5 11 OpenWith.exe 9->11         started        dnsIp6 22 servicehost.org 91.92.250.172, 4433, 49705, 49706 THEZONEBG Bulgaria 11->22 32 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->32 34 Tries to steal Mail credentials (via file / registry access) 11->34 36 Found many strings related to Crypto-Wallets (likely being stolen) 11->36 38 2 other signatures 11->38 15 wmplayer.exe 11->15         started        signatures7 process8 signatures9 40 Writes to foreign memory regions 15->40 42 Allocates memory in foreign processes 15->42 18 dllhost.exe 15->18         started        process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.92.250.172
 servicehost.org Bulgaria
34368 THEZONEBG true

Contacted Domains

Name IP Active
servicehost.org 91.92.250.172 true