Windows Analysis Report
UGcjMkPWwW.exe

Overview

General Information

Sample name: UGcjMkPWwW.exe
renamed because original name is a hash value
Original sample name: 14988e9d35a0c92435297f7b2821dc60.exe
Analysis ID: 1542681
MD5: 14988e9d35a0c92435297f7b2821dc60
SHA1: 8c00da2ab4cf6da0c179f283eac0053231859f8c
SHA256: 677b8ff45ebb9486a99aecf8dd2b4b362010573ecc4d0d082eda6a36a7cab671
Tags: 32exetrojan
Infos:

Detection

RHADAMANTHYS
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RHADAMANTHYS Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Dllhost Internet Connection
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

Name Description Attribution Blogpost URLs Link
Rhadamanthys According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
 https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

AV Detection
barindex
Found malware configuration
Source: UGcjMkPWwW.exe Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://185.196.11.237:9697/f002171ab05c7/9xqdctgg.ir1fr"}
Multi AV Scanner detection for domain / URL
Source: https://185.196.11.237:9697/f002171ab05c7/9xqdctgg.ir1fr Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for submitted file
Source: UGcjMkPWwW.exe ReversingLabs: Detection: 65%
Source: UGcjMkPWwW.exe Virustotal: Detection: 82% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: UGcjMkPWwW.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401542258 CryptUnprotectData, 2_3_00007DF401542258
Uses 32bit PE files
Source: UGcjMkPWwW.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 193.149.185.109:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: UGcjMkPWwW.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: OpenWith.exe, 00000002.00000002.2117470660.00000251D3118000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: UGcjMkPWwW.exe, 00000000.00000003.1742498648.0000000003C80000.00000004.00000001.00020000.00000000.sdmp, UGcjMkPWwW.exe, 00000000.00000003.1742437180.0000000000550000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1745057785.0000000004F60000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1745121603.0000000005080000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: OpenWith.exe, 00000002.00000002.2117470660.00000251D3118000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: UGcjMkPWwW.exe, 00000000.00000003.1742681763.0000000003C00000.00000004.00000001.00020000.00000000.sdmp, UGcjMkPWwW.exe, 00000000.00000003.1742866792.0000000003E20000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1745436761.0000000005180000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1745270453.0000000004F60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb!8 source: OpenWith.exe, 00000002.00000002.2117470660.00000251D3118000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: UGcjMkPWwW.exe, 00000000.00000003.1741895197.0000000003DF0000.00000004.00000001.00020000.00000000.sdmp, UGcjMkPWwW.exe, 00000000.00000003.1741747932.0000000003C00000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1744570517.0000000005150000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1744423678.0000000004F60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: UGcjMkPWwW.exe, 00000000.00000003.1742108870.0000000003C00000.00000004.00000001.00020000.00000000.sdmp, UGcjMkPWwW.exe, 00000000.00000003.1742251026.0000000003DA0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1744926026.0000000005100000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1744787920.0000000004F60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: UGcjMkPWwW.exe, 00000000.00000003.1741895197.0000000003DF0000.00000004.00000001.00020000.00000000.sdmp, UGcjMkPWwW.exe, 00000000.00000003.1741747932.0000000003C00000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1744570517.0000000005150000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1744423678.0000000004F60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: UGcjMkPWwW.exe, 00000000.00000003.1742108870.0000000003C00000.00000004.00000001.00020000.00000000.sdmp, UGcjMkPWwW.exe, 00000000.00000003.1742251026.0000000003DA0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1744926026.0000000005100000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1744787920.0000000004F60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831H source: OpenWith.exe, 00000002.00000002.2117470660.00000251D3118000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: wmlaunch.exe, wmlaunch.exe, 00000006.00000003.2031195643.000001E4D5B30000.00000004.00000001.00020000.00000000.sdmp, wmlaunch.exe, 00000006.00000003.2031233133.000001E4D5B60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: UGcjMkPWwW.exe, 00000000.00000003.1742681763.0000000003C00000.00000004.00000001.00020000.00000000.sdmp, UGcjMkPWwW.exe, 00000000.00000003.1742866792.0000000003E20000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1745436761.0000000005180000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1745270453.0000000004F60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: UGcjMkPWwW.exe, 00000000.00000003.1742498648.0000000003C80000.00000004.00000001.00020000.00000000.sdmp, UGcjMkPWwW.exe, 00000000.00000003.1742437180.0000000000550000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1745057785.0000000004F60000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1745121603.0000000005080000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: win32u.pdbGCTL source: wmlaunch.exe, 00000006.00000003.2031195643.000001E4D5B30000.00000004.00000001.00020000.00000000.sdmp, wmlaunch.exe, 00000006.00000003.2031233133.000001E4D5B60000.00000004.00000001.00020000.00000000.sdmp
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\OpenWith.exe Code function: 4x nop then dec esp 2_3_00007DF40154E261
Source: C:\Windows\System32\OpenWith.exe Code function: 4x nop then dec esp 2_2_00000251D3090511
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 4x nop then dec esp 6_2_000001E4D5865641

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.196.11.237:9697 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.196.11.237:9697 -> 192.168.2.4:49738
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 185.196.11.237:9697 -> 192.168.2.4:49735
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 193.149.185.109:443 -> 192.168.2.4:49739
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://185.196.11.237:9697/f002171ab05c7/9xqdctgg.ir1fr
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 185.196.11.237:9697
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SIMPLECARRIERCH SIMPLECARRIERCH
Source: Joe Sandbox View ASN Name: DANISCODK DANISCODK
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 185.196.11.237:9697 -> 192.168.2.4:49735
Source: Network traffic Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 185.196.11.237:9697 -> 192.168.2.4:49738
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: unknown TCP traffic detected without corresponding DNS query: 185.196.11.237
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401574520 WSARecv, 2_3_00007DF401574520
Source: OpenWith.exe, OpenWith.exe, 00000002.00000003.1900288624.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2066579486.00000251D50BB000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1901618122.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2116558649.00000251D5171000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000002.2118106280.00000251D5363000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1897761721.00000251D5158000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1906943216.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1934539814.00000251D5172000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1939343716.00000251D5172000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1897605961.00000251D5158000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1900970366.00000251D50F3000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1899717451.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1904033708.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1902184169.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1903499792.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1905062934.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1900141786.00000251D50F8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1877587550.00000251D5158000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1899522861.00000251D5158000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2116279598.00000251D535B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.196.11.237:9697/f002171ab05c7/9xqdctgg.ir1fr
Source: OpenWith.exe, 00000001.00000002.1826825865.0000000000ABC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://185.196.11.237:9697/f002171ab05c7/9xqdctgg.ir1fr(
Source: wmlaunch.exe, 00000006.00000002.2963426023.000001E4D5C77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://185.196.11.237:9697/f002171ab05c7/9xqdctgg.ir1frV
Source: OpenWith.exe, 00000001.00000003.1826414618.000000000534A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000002.2117417948.00000251D3090000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: https://185.196.11.237:9697/f002171ab05c7/9xqdctgg.ir1frkernelbasentdllkernel32GetProcessMitigationP
Source: OpenWith.exe, 00000002.00000003.1900288624.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1938316310.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1901618122.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1906943216.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1900970366.00000251D50F3000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1899522861.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1899717451.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1904033708.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1902184169.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1903499792.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1905062934.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1900141786.00000251D50F8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000002.2117938689.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1933970869.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2058362092.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1898982100.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1898402687.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1934822201.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1901371041.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2066321617.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1927967536.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: OpenWith.exe, 00000002.00000003.1900288624.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1938316310.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1901618122.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1906943216.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1900970366.00000251D50F3000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1899522861.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1899717451.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1904033708.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1902184169.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1903499792.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1905062934.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1900141786.00000251D50F8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000002.2117938689.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1933970869.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2058362092.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1898982100.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1898402687.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1934822201.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1901371041.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2066321617.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1927967536.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OpenWith.exe, 00000002.00000003.1900288624.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1938316310.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1901618122.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1906943216.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1900970366.00000251D50F3000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1899522861.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1899717451.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1904033708.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1902184169.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1903499792.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1905062934.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1900141786.00000251D50F8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000002.2117938689.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1933970869.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2058362092.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1898982100.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1898402687.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1934822201.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1901371041.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2066321617.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1927967536.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OpenWith.exe, 00000002.00000003.1900288624.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1938316310.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1901618122.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1906943216.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1900970366.00000251D50F3000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1899522861.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1899717451.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1904033708.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1902184169.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1903499792.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1905062934.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1900141786.00000251D50F8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000002.2117938689.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1933970869.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2058362092.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1898982100.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1898402687.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1934822201.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1901371041.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2066321617.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1927967536.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: OpenWith.exe, 00000002.00000003.1907438108.00000251D568E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discord.com
Source: OpenWith.exe, 00000002.00000003.1907438108.00000251D568E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discordapp.com
Source: OpenWith.exe, 00000002.00000003.1898982100.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1898402687.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: OpenWith.exe, 00000002.00000003.1898982100.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1898402687.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: OpenWith.exe, 00000002.00000003.1898982100.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1898402687.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: OpenWith.exe, 00000002.00000003.1906943216.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000002.2118049130.00000251D5189000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1908124915.00000251D5186000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2058668514.00000251D5186000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1939089748.00000251D5186000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2066984941.00000251D5189000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mic
Source: OpenWith.exe, 00000002.00000003.1907554669.00000251D50DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: OpenWith.exe, 00000002.00000003.1900403681.00000251D561B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: OpenWith.exe, 00000002.00000003.1907554669.00000251D50DA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1901371041.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000002.2117778749.00000251D50BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: OpenWith.exe, 00000002.00000003.1900403681.00000251D561B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: OpenWith.exe, 00000002.00000003.1900288624.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1900970366.00000251D50F3000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1900141786.00000251D50F8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1901371041.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17t.mc_id=EnterPK201694ba2e0b-6
Source: OpenWith.exe, 00000002.00000003.1900288624.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1938316310.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1901618122.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1906943216.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1900970366.00000251D50F3000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1899522861.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1899717451.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1904033708.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1902184169.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1903499792.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1905062934.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1900141786.00000251D50F8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000002.2117938689.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1933970869.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2058362092.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1898982100.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1898402687.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1934822201.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1901371041.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2066321617.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1927967536.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: OpenWith.exe, 00000002.00000003.1899522861.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1899717451.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1898982100.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1898402687.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 193.149.185.109:443 -> 192.168.2.4:49739 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: UGcjMkPWwW.exe, 00000000.00000003.1742681763.0000000003C00000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DirectInput8Create memstr_1aaee10a-c
Installs a raw input device (often for capturing keystrokes)
Source: UGcjMkPWwW.exe, 00000000.00000003.1742681763.0000000003C00000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_4915282c-b
Yara detected Keylogger Generic
Source: Yara match File source: 1.3.OpenWith.exe.5180000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.UGcjMkPWwW.exe.3c00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.OpenWith.exe.5180000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.UGcjMkPWwW.exe.3e20000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.UGcjMkPWwW.exe.3c00000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.OpenWith.exe.4f60000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.UGcjMkPWwW.exe.3c00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000003.1745436761.0000000005180000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1742681763.0000000003C00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1745270453.0000000004F60000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1742866792.0000000003E20000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: UGcjMkPWwW.exe PID: 7256, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OpenWith.exe PID: 7316, type: MEMORYSTR
Contains functionality to call native functions
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00000251D31030C7 NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,RtlFreeHeap,RtlFreeHeap, 2_3_00000251D31030C7
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154C10C NtAcceptConnectPort, 2_3_00007DF40154C10C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154D2F4 NtAcceptConnectPort,NtAcceptConnectPort, 2_3_00007DF40154D2F4
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154B498 NtAcceptConnectPort,calloc,DuplicateHandle,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort, 2_3_00007DF40154B498
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154C47C NtAcceptConnectPort, 2_3_00007DF40154C47C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154D3C0 NtAcceptConnectPort,NtAcceptConnectPort, 2_3_00007DF40154D3C0
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154C70C NtAcceptConnectPort, 2_3_00007DF40154C70C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154C7CC NtAcceptConnectPort, 2_3_00007DF40154C7CC
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154ACE8 NtAcceptConnectPort, 2_3_00007DF40154ACE8
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154BCC0 NtAcceptConnectPort,NtAcceptConnectPort,free, 2_3_00007DF40154BCC0
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154ACC8 NtAcceptConnectPort, 2_3_00007DF40154ACC8
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154AD14 NtAcceptConnectPort, 2_3_00007DF40154AD14
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154AC0C NtAcceptConnectPort, 2_3_00007DF40154AC0C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154AF60 NtAcceptConnectPort, 2_3_00007DF40154AF60
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154AF40 NtAcceptConnectPort, 2_3_00007DF40154AF40
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154ADD4 NtAcceptConnectPort, 2_3_00007DF40154ADD4
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154AE5C NtAcceptConnectPort, 2_3_00007DF40154AE5C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154BE6C calloc,NtAcceptConnectPort, 2_3_00007DF40154BE6C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_2_00000251D3091A90 NtAcceptConnectPort,NtAcceptConnectPort, 2_2_00000251D3091A90
Source: C:\Windows\System32\OpenWith.exe Code function: 2_2_00000251D3090AC8 NtAcceptConnectPort,NtAcceptConnectPort, 2_2_00000251D3090AC8
Source: C:\Windows\System32\OpenWith.exe Code function: 2_2_00000251D30915AC NtAcceptConnectPort, 2_2_00000251D30915AC
Source: C:\Windows\System32\OpenWith.exe Code function: 2_2_00000251D3091CD0 NtAcceptConnectPort,CloseHandle, 2_2_00000251D3091CD0
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_3_00007DF4E2E91958 calloc,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 6_3_00007DF4E2E91958
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_3_00007DF4E2E91CE8 calloc,CreateProcessW,NtResumeThread,CloseHandle,free, 6_3_00007DF4E2E91CE8
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5872990 NtAcceptConnectPort, 6_2_000001E4D5872990
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D58729D4 NtAcceptConnectPort, 6_2_000001E4D58729D4
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D587252C NtAcceptConnectPort, 6_2_000001E4D587252C
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5872C64 NtAcceptConnectPort, 6_2_000001E4D5872C64
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5872418 NtAcceptConnectPort, 6_2_000001E4D5872418
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D58728E8 NtAcceptConnectPort, 6_2_000001E4D58728E8
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D587288C NtAcceptConnectPort, 6_2_000001E4D587288C
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D58728B8 NtAcceptConnectPort, 6_2_000001E4D58728B8
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D58727B8 NtAcceptConnectPort, 6_2_000001E4D58727B8
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_00007DF4E2E92704 NtQuerySystemInformation,malloc,NtQuerySystemInformation, 6_2_00007DF4E2E92704
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_00007DF4E2E91A50 NtQueryInformationProcess, 6_2_00007DF4E2E91A50
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_00007DF4E2E91A08 NtAllocateVirtualMemory, 6_2_00007DF4E2E91A08
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_00007DF4E2E91B3C NtReadVirtualMemory, 6_2_00007DF4E2E91B3C
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_00007DF4E2E91ABC NtReadVirtualMemory, 6_2_00007DF4E2E91ABC
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_00007DF4E2E91B7C NtReadVirtualMemory, 6_2_00007DF4E2E91B7C
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_00007DF4E2E91D18 NtReadVirtualMemory, 6_2_00007DF4E2E91D18
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A3385C NtQuerySystemInformation, 7_2_000002D392A3385C
Detected potential crypto function
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_2_00430BC1 0_2_00430BC1
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00000251D3104A38 2_3_00000251D3104A38
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00000251D3102C3C 2_3_00000251D3102C3C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00000251D31024F7 2_3_00000251D31024F7
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00000251D3105E7C 2_3_00000251D3105E7C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00000251D310557C 2_3_00000251D310557C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00000251D31058FC 2_3_00000251D31058FC
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00000251D3101BA6 2_3_00000251D3101BA6
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00000251D310279C 2_3_00000251D310279C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40157B104 2_3_00007DF40157B104
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401522634 2_3_00007DF401522634
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF4015920BC 2_3_00007DF4015920BC
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF4015EA168 2_3_00007DF4015EA168
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40159CFB4 2_3_00007DF40159CFB4
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40161BFCC 2_3_00007DF40161BFCC
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40160AF80 2_3_00007DF40160AF80
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401521058 2_3_00007DF401521058
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40156F02C 2_3_00007DF40156F02C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF4016172C8 2_3_00007DF4016172C8
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40160B318 2_3_00007DF40160B318
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF4015BE24C 2_3_00007DF4015BE24C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40160A4A0 2_3_00007DF40160A4A0
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401608474 2_3_00007DF401608474
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401572524 2_3_00007DF401572524
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF4015FA3D4 2_3_00007DF4015FA3D4
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40156F3B8 2_3_00007DF40156F3B8
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40157A430 2_3_00007DF40157A430
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF4015643F8 2_3_00007DF4015643F8
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF4015893F4 2_3_00007DF4015893F4
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF4015896E0 2_3_00007DF4015896E0
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF4015775E4 2_3_00007DF4015775E4
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF4015895D0 2_3_00007DF4015895D0
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40157D594 2_3_00007DF40157D594
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40152F624 2_3_00007DF40152F624
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40160A8BC 2_3_00007DF40160A8BC
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40153F95C 2_3_00007DF40153F95C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40154996C 2_3_00007DF40154996C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40157B7B8 2_3_00007DF40157B7B8
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401599AE0 2_3_00007DF401599AE0
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40156FA94 2_3_00007DF40156FA94
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401579B70 2_3_00007DF401579B70
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401589B38 2_3_00007DF401589B38
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40153FB24 2_3_00007DF40153FB24
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40160FB04 2_3_00007DF40160FB04
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40161CB04 2_3_00007DF40161CB04
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40153D9F0 2_3_00007DF40153D9F0
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF4016069A8 2_3_00007DF4016069A8
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40157CA38 2_3_00007DF40157CA38
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF4015FEBE4 2_3_00007DF4015FEBE4
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF4015C6C60 2_3_00007DF4015C6C60
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40158DC54 2_3_00007DF40158DC54
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401525C24 2_3_00007DF401525C24
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401609F68 2_3_00007DF401609F68
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401559F4C 2_3_00007DF401559F4C
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401550F04 2_3_00007DF401550F04
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40156FDE0 2_3_00007DF40156FDE0
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401616DAC 2_3_00007DF401616DAC
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401603D84 2_3_00007DF401603D84
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401531E54 2_3_00007DF401531E54
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF40160AE00 2_3_00007DF40160AE00
Source: C:\Windows\System32\OpenWith.exe Code function: 2_2_00000251D3090C5C 2_2_00000251D3090C5C
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_3_00007DF4E2E92204 6_3_00007DF4E2E92204
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_3_00007DF4E2E9392C 6_3_00007DF4E2E9392C
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_3_00007DF4E2E94EFC 6_3_00007DF4E2E94EFC
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D586C25C 6_2_000001E4D586C25C
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5872D24 6_2_000001E4D5872D24
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5862628 6_2_000001E4D5862628
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D58A0270 6_2_000001E4D58A0270
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5877270 6_2_000001E4D5877270
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5875ADC 6_2_000001E4D5875ADC
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5893A38 6_2_000001E4D5893A38
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D58A3A4D 6_2_000001E4D58A3A4D
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5894A50 6_2_000001E4D5894A50
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5880174 6_2_000001E4D5880174
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D589E984 6_2_000001E4D589E984
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D589F1D0 6_2_000001E4D589F1D0
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D587DCE4 6_2_000001E4D587DCE4
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D589ECE4 6_2_000001E4D589ECE4
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5886D18 6_2_000001E4D5886D18
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5890478 6_2_000001E4D5890478
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D58614D0 6_2_000001E4D58614D0
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D589CC00 6_2_000001E4D589CC00
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D58A6434 6_2_000001E4D58A6434
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D587E398 6_2_000001E4D587E398
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5876F24 6_2_000001E4D5876F24
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D587C750 6_2_000001E4D587C750
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5887684 6_2_000001E4D5887684
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5883EA4 6_2_000001E4D5883EA4
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D587BEB8 6_2_000001E4D587BEB8
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D58886B4 6_2_000001E4D58886B4
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5895EC8 6_2_000001E4D5895EC8
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5894DE8 6_2_000001E4D5894DE8
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D587F618 6_2_000001E4D587F618
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D58A0D90 6_2_000001E4D58A0D90
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D58955B0 6_2_000001E4D58955B0
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D58995D4 6_2_000001E4D58995D4
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5895918 6_2_000001E4D5895918
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D589F940 6_2_000001E4D589F940
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D58A0874 6_2_000001E4D58A0874
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5887094 6_2_000001E4D5887094
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D58948D0 6_2_000001E4D58948D0
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D587D010 6_2_000001E4D587D010
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D589A81C 6_2_000001E4D589A81C
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D588D854 6_2_000001E4D588D854
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D5893F70 6_2_000001E4D5893F70
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_00007DF4E2EA22CC 6_2_00007DF4E2EA22CC
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A53B40 7_2_000002D392A53B40
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A52AA0 7_2_000002D392A52AA0
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A3BC68 7_2_000002D392A3BC68
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A3737C 7_2_000002D392A3737C
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A453C8 7_2_000002D392A453C8
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A54144 7_2_000002D392A54144
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A53210 7_2_000002D392A53210
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A52254 7_2_000002D392A52254
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A49998 7_2_000002D392A49998
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A48980 7_2_000002D392A48980
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A4F76C 7_2_000002D392A4F76C
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A48EB8 7_2_000002D392A48EB8
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A49818 7_2_000002D392A49818
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A4A860 7_2_000002D392A4A860
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A427A4 7_2_000002D392A427A4
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A3BFE4 7_2_000002D392A3BFE4
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A4E51C 7_2_000002D392A4E51C
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A49D30 7_2_000002D392A49D30
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A4A4F8 7_2_000002D392A4A4F8
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A5C500 7_2_000002D392A5C500
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A38DF4 7_2_000002D392A38DF4
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A61E08 7_2_000002D392A61E08
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A3D604 7_2_000002D392A3D604
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A4AE10 7_2_000002D392A4AE10
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A54660 7_2_000002D392A54660
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A5C668 7_2_000002D392A5C668
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A3C5D4 7_2_000002D392A3C5D4
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A525B4 7_2_000002D392A525B4
Sample file is different than original file name gathered from version info
Source: UGcjMkPWwW.exe, 00000000.00000003.1742498648.0000000003CD0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs UGcjMkPWwW.exe
Source: UGcjMkPWwW.exe, 00000000.00000003.1742866792.0000000004001000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKernelbase.dllj% vs UGcjMkPWwW.exe
Source: UGcjMkPWwW.exe, 00000000.00000003.1742681763.0000000003C00000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKernelbase.dllj% vs UGcjMkPWwW.exe
Source: UGcjMkPWwW.exe, 00000000.00000003.1742498648.0000000003C80000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs UGcjMkPWwW.exe
Source: UGcjMkPWwW.exe, 00000000.00000003.1742108870.0000000003D23000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs UGcjMkPWwW.exe
Source: UGcjMkPWwW.exe, 00000000.00000000.1707604650.000000000044B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename4 vs UGcjMkPWwW.exe
Source: UGcjMkPWwW.exe, 00000000.00000003.1742437180.0000000000550000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs UGcjMkPWwW.exe
Source: UGcjMkPWwW.exe, 00000000.00000003.1741895197.0000000003F76000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs UGcjMkPWwW.exe
Source: UGcjMkPWwW.exe, 00000000.00000003.1741747932.0000000003D78000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs UGcjMkPWwW.exe
Source: UGcjMkPWwW.exe, 00000000.00000003.1742437180.00000000005E2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs UGcjMkPWwW.exe
Source: UGcjMkPWwW.exe, 00000000.00000003.1742251026.0000000003ECD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs UGcjMkPWwW.exe
Source: UGcjMkPWwW.exe Binary or memory string: OriginalFilename4 vs UGcjMkPWwW.exe
Uses 32bit PE files
Source: UGcjMkPWwW.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 2.3.OpenWith.exe.251d535d970.5.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 2.3.OpenWith.exe.251d535d970.4.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 2.2.OpenWith.exe.251d535d970.1.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/0@0/2
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401522634 CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,SuspendThread, 2_3_00007DF401522634
Source: C:\Windows\SysWOW64\OpenWith.exe Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
Source: C:\Windows\SysWOW64\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: OpenWith.exe, 00000002.00000003.2116742078.00000251D5511000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1875112434.00000251D4B67000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1876203189.00000251D5311000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1863278174.00000251D4B6D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2117217556.00007DF401622000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1876369505.00000251D53C4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2116111905.00000251D51BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: OpenWith.exe, 00000002.00000003.2116742078.00000251D5511000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1875112434.00000251D4B67000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1876203189.00000251D5311000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1863278174.00000251D4B6D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2117217556.00007DF401622000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1876369505.00000251D53C4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2116111905.00000251D51BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: OpenWith.exe, 00000002.00000003.2116742078.00000251D5511000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1875112434.00000251D4B67000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1876203189.00000251D5311000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1863278174.00000251D4B6D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2117217556.00007DF401622000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1876369505.00000251D53C4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2116111905.00000251D51BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: OpenWith.exe, 00000002.00000003.2116742078.00000251D5511000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1875112434.00000251D4B67000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1876203189.00000251D5311000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1863278174.00000251D4B6D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2117217556.00007DF401622000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1876369505.00000251D53C4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2116111905.00000251D51BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: OpenWith.exe, 00000002.00000003.2116742078.00000251D5511000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1875112434.00000251D4B67000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1876203189.00000251D5311000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1863278174.00000251D4B6D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2117217556.00007DF401622000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1876369505.00000251D53C4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2116111905.00000251D51BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: OpenWith.exe, 00000002.00000003.2116742078.00000251D5511000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1875112434.00000251D4B67000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1876203189.00000251D5311000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1863278174.00000251D4B6D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2117217556.00007DF401622000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1876369505.00000251D53C4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2116111905.00000251D51BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: OpenWith.exe, 00000002.00000003.1899461790.00000251D5685000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1899889802.00000251D561F000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1899655925.00000251D5685000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: OpenWith.exe, 00000002.00000003.2116742078.00000251D5511000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1875112434.00000251D4B67000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1876203189.00000251D5311000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1863278174.00000251D4B6D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2117217556.00007DF401622000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.1876369505.00000251D53C4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000003.2116111905.00000251D51BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: UGcjMkPWwW.exe ReversingLabs: Detection: 65%
Source: UGcjMkPWwW.exe Virustotal: Detection: 82%
Source: unknown Process created: C:\Users\user\Desktop\UGcjMkPWwW.exe "C:\Users\user\Desktop\UGcjMkPWwW.exe"
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Windows\SysWOW64\OpenWith.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmlaunch.exe "C:\Program Files\Windows Media Player\wmlaunch.exe"
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmlaunch.exe "C:\Program Files\Windows Media Player\wmlaunch.exe" Jump to behavior
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe" Jump to behavior
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Section loaded: mfplat.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Section loaded: rtworkq.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook Jump to behavior
Source: UGcjMkPWwW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: UGcjMkPWwW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: UGcjMkPWwW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: UGcjMkPWwW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: UGcjMkPWwW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: UGcjMkPWwW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: UGcjMkPWwW.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: UGcjMkPWwW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: OpenWith.exe, 00000002.00000002.2117470660.00000251D3118000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: UGcjMkPWwW.exe, 00000000.00000003.1742498648.0000000003C80000.00000004.00000001.00020000.00000000.sdmp, UGcjMkPWwW.exe, 00000000.00000003.1742437180.0000000000550000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1745057785.0000000004F60000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1745121603.0000000005080000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: OpenWith.exe, 00000002.00000002.2117470660.00000251D3118000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: UGcjMkPWwW.exe, 00000000.00000003.1742681763.0000000003C00000.00000004.00000001.00020000.00000000.sdmp, UGcjMkPWwW.exe, 00000000.00000003.1742866792.0000000003E20000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1745436761.0000000005180000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1745270453.0000000004F60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb!8 source: OpenWith.exe, 00000002.00000002.2117470660.00000251D3118000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: UGcjMkPWwW.exe, 00000000.00000003.1741895197.0000000003DF0000.00000004.00000001.00020000.00000000.sdmp, UGcjMkPWwW.exe, 00000000.00000003.1741747932.0000000003C00000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1744570517.0000000005150000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1744423678.0000000004F60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: UGcjMkPWwW.exe, 00000000.00000003.1742108870.0000000003C00000.00000004.00000001.00020000.00000000.sdmp, UGcjMkPWwW.exe, 00000000.00000003.1742251026.0000000003DA0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1744926026.0000000005100000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1744787920.0000000004F60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: UGcjMkPWwW.exe, 00000000.00000003.1741895197.0000000003DF0000.00000004.00000001.00020000.00000000.sdmp, UGcjMkPWwW.exe, 00000000.00000003.1741747932.0000000003C00000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1744570517.0000000005150000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1744423678.0000000004F60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: UGcjMkPWwW.exe, 00000000.00000003.1742108870.0000000003C00000.00000004.00000001.00020000.00000000.sdmp, UGcjMkPWwW.exe, 00000000.00000003.1742251026.0000000003DA0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1744926026.0000000005100000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1744787920.0000000004F60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831H source: OpenWith.exe, 00000002.00000002.2117470660.00000251D3118000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: wmlaunch.exe, wmlaunch.exe, 00000006.00000003.2031195643.000001E4D5B30000.00000004.00000001.00020000.00000000.sdmp, wmlaunch.exe, 00000006.00000003.2031233133.000001E4D5B60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: UGcjMkPWwW.exe, 00000000.00000003.1742681763.0000000003C00000.00000004.00000001.00020000.00000000.sdmp, UGcjMkPWwW.exe, 00000000.00000003.1742866792.0000000003E20000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1745436761.0000000005180000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1745270453.0000000004F60000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: UGcjMkPWwW.exe, 00000000.00000003.1742498648.0000000003C80000.00000004.00000001.00020000.00000000.sdmp, UGcjMkPWwW.exe, 00000000.00000003.1742437180.0000000000550000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1745057785.0000000004F60000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000001.00000003.1745121603.0000000005080000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: win32u.pdbGCTL source: wmlaunch.exe, 00000006.00000003.2031195643.000001E4D5B30000.00000004.00000001.00020000.00000000.sdmp, wmlaunch.exe, 00000006.00000003.2031233133.000001E4D5B60000.00000004.00000001.00020000.00000000.sdmp
Source: UGcjMkPWwW.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: UGcjMkPWwW.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: UGcjMkPWwW.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: UGcjMkPWwW.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: UGcjMkPWwW.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 2.2.OpenWith.exe.251d535d970.1.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 2.2.OpenWith.exe.251d535d970.1.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 2.3.OpenWith.exe.251d5359d60.6.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 2.3.OpenWith.exe.251d5359d60.6.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 2.2.OpenWith.exe.251d5359d60.2.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 2.2.OpenWith.exe.251d5359d60.2.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 2.3.OpenWith.exe.251d535d970.4.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 2.3.OpenWith.exe.251d535d970.4.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 2.3.OpenWith.exe.251d535d970.5.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 2.3.OpenWith.exe.251d535d970.5.raw.unpack, Runtime.cs .Net Code: CoreMain
PE file contains sections with non-standard names
Source: UGcjMkPWwW.exe Static PE information: section name: .textbss
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_3_00434C62 push es; retf 0_3_00434C91
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_3_00435E69 push ebx; iretd 0_3_00435E6A
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_3_00436A80 push edx; ret 0_3_00436A81
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_3_00434C95 push es; retf 0_3_00434C91
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_3_00432F50 push eax; retf 0_3_00432F51
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_3_00434170 push ecx; iretd 0_3_0043417C
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_3_00436777 push esi; ret 0_3_00436782
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_3_00434130 pushad ; ret 0_3_00434138
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_3_004361E2 push eax; retf 0_3_004361F1
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_3_004347A2 push ebp; iretd 0_3_004347A3
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_2_003DC01A push ds; iretd 0_2_003DC036
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_2_004312F4 push ecx; ret 0_2_00431307
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_2_003D1436 push ds; retf 0_2_003D143B
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_2_003DE5F8 push ebx; ret 0_2_003DE5F9
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 1_3_00AF3EE9 push ebx; iretd 1_3_00AF3EEA
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 1_3_00AF2CE2 push es; retf 1_3_00AF2D11
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 1_3_00AF2822 push ebp; iretd 1_3_00AF2823
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 1_3_00AF4262 push eax; retf 1_3_00AF4271
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 1_3_00AF21B0 pushad ; ret 1_3_00AF21B8
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 1_3_00AF47F7 push esi; ret 1_3_00AF4802
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 1_3_00AF21F0 push ecx; iretd 1_3_00AF21FC
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 1_3_00AF0FD0 push eax; retf 1_3_00AF0FD1
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 1_3_00AF4B00 push edx; ret 1_3_00AF4B01
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 1_3_00AF2D15 push es; retf 1_3_00AF2D11
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A30D45 pushad ; retf 7_2_000002D392A30D47
Source: C:\Windows\System32\dllhost.exe Code function: 7_2_000002D392A304AE push es; ret 7_2_000002D392A304B6
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe API/Special instruction interceptor: Address: 7FFE2220D044
Source: C:\Windows\SysWOW64\OpenWith.exe API/Special instruction interceptor: Address: 7FFE2220D044
Source: C:\Windows\SysWOW64\OpenWith.exe API/Special instruction interceptor: Address: 54FA83A
Contains functionality to query network adapater information
Source: C:\Windows\System32\dllhost.exe Code function: GetAdaptersInfo, 7_2_000002D392A32AC4
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF4015222DC GetSystemInfo,VirtualAlloc, 2_3_00007DF4015222DC
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft Jump to behavior
Source: dllhost.exe, 00000007.00000002.2962467867.000002D392B7B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW6
Source: OpenWith.exe, 00000002.00000003.1898161553.00000251D5158000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkLinkcLinkSymbolicLink^4
Source: OpenWith.exe, 00000002.00000003.1898161553.00000251D5158000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkmbolicLinkSymbolicLink
Source: OpenWith.exe, 00000002.00000002.2117470660.00000251D3118000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: OpenWith.exe, 00000001.00000003.1745270453.0000000004F60000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: OpenWith.exe, 00000002.00000003.1879317732.00000251D5158000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMCIDevSymbol
Source: OpenWith.exe, 00000001.00000002.1826940251.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000002.00000002.2117470660.00000251D3118000.00000004.00000020.00020000.00000000.sdmp, wmlaunch.exe, 00000006.00000002.2963101699.000001E4D5A18000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 00000007.00000002.2962467867.000002D392B7B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: OpenWith.exe, 00000002.00000003.1879317732.00000251D5158000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLinkcLinkSymbolicLink
Source: OpenWith.exe, 00000001.00000003.1745270453.0000000004F60000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: OpenWith.exe, 00000002.00000002.2117470660.00000251D3118000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW}
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_2_00429AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00429AB4
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_3_00432277 mov eax, dword ptr fs:[00000030h] 0_3_00432277
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_2_00432277 mov eax, dword ptr fs:[00000030h] 0_2_00432277
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 1_3_00AF0283 mov eax, dword ptr fs:[00000030h] 1_3_00AF0283
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_2_00424E5A GetProcessHeap,RtlAllocateHeap,GetModuleFileNameW,_wcsrchr,lstrlenW,GetProcessHeap,RtlFreeHeap,MulDiv, 0_2_00424E5A
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_2_00425A33 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00425A33
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_2_00429AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00429AB4
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_2_004255A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004255A9

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Memory allocated: C:\Windows\System32\dllhost.exe base: 2D392A30000 protect: page read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Memory written: C:\Windows\System32\dllhost.exe base: 2D392A30000 Jump to behavior
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Memory written: C:\Windows\System32\dllhost.exe base: 7FF70F3314E0 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmlaunch.exe "C:\Program Files\Windows Media Player\wmlaunch.exe" Jump to behavior
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_2_00425845 cpuid 0_2_00425845
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\System32\OpenWith.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401541B18 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 2_3_00007DF401541B18
Source: C:\Users\user\Desktop\UGcjMkPWwW.exe Code function: 0_2_00425490 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00425490
Source: C:\Windows\SysWOW64\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: UGcjMkPWwW.exe, type: SAMPLE
Source: Yara match File source: 0.0.UGcjMkPWwW.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UGcjMkPWwW.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1744147121.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1743648406.0000000000C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1707524321.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1768649425.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2116742078.00000251D5511000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1876203189.00000251D5311000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1740844173.00000000003C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1876369505.00000251D53C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1827092674.00000000046E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1743471717.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: OpenWith.exe, 00000002.00000003.1900288624.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Qtum-Electrum\config
Source: OpenWith.exe, 00000002.00000003.1900288624.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\ElectronCash\config
Source: OpenWith.exe, 00000002.00000003.1900288624.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\com.liberty.jaxx
Source: OpenWith.exe, 00000002.00000003.1900288624.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: OpenWith.exe, 00000002.00000003.1900288624.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Exodus
Source: OpenWith.exe, 00000002.00000003.1938316310.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance
Source: OpenWith.exe, 00000002.00000003.1900288624.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Coinomi\Coinomi\wallets
Source: OpenWith.exe, 00000002.00000002.2117470660.00000251D3118000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live&:6
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs\browser\newtab Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\z6bny8rn.default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\safebrowsing Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs\browser Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\thumbnails Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\safebrowsing\google4 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\trash16598 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Searches for user specific document files
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\WKXEWIOTXI Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\YPSIACHYXW Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000003.1901618122.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1900288624.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1906943216.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1900970366.00000251D50F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1904033708.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1902184169.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1903499792.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1905062934.00000251D50FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1900141786.00000251D50F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1903745557.00000251D50FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1901371041.00000251D50FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OpenWith.exe PID: 7404, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: UGcjMkPWwW.exe, type: SAMPLE
Source: Yara match File source: 0.0.UGcjMkPWwW.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UGcjMkPWwW.exe.3d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1744147121.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1743648406.0000000000C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1707524321.00000000003D1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1768649425.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2116742078.00000251D5511000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1876203189.00000251D5311000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1740844173.00000000003C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.1876369505.00000251D53C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1827092674.00000000046E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1743471717.00000000032C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401574088 socket,bind, 2_3_00007DF401574088
Source: C:\Windows\System32\OpenWith.exe Code function: 2_3_00007DF401541B18 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 2_3_00007DF401541B18
Source: C:\Program Files\Windows Media Player\wmlaunch.exe Code function: 6_2_000001E4D586CDF4 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 6_2_000001E4D586CDF4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542681 Sample: UGcjMkPWwW.exe Startdate: 26/10/2024 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for domain / URL 2->37 39 Suricata IDS alerts for network traffic 2->39 41 Found malware configuration 2->41 43 6 other signatures 2->43 9 UGcjMkPWwW.exe 1 2->9         started        process3 signatures4 49 Switches to a custom stack to bypass stack traces 9->49 12 OpenWith.exe 9->12         started        process5 dnsIp6 27 185.196.11.237, 49730, 49735, 49738 SIMPLECARRIERCH Switzerland 12->27 51 Switches to a custom stack to bypass stack traces 12->51 16 OpenWith.exe 12->16         started        signatures7 process8 signatures9 29 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->29 31 Tries to steal Mail credentials (via file / registry access) 16->31 33 Found many strings related to Crypto-Wallets (likely being stolen) 16->33 35 2 other signatures 16->35 19 wmlaunch.exe 16->19         started        process10 signatures11 45 Writes to foreign memory regions 19->45 47 Allocates memory in foreign processes 19->47 22 dllhost.exe 19->22         started        process12 dnsIp13 25 193.149.185.109, 443, 49739 DANISCODK Denmark 22->25
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.196.11.237
 unknown Switzerland
42624 SIMPLECARRIERCH true
193.149.185.109
 unknown Denmark
15411 DANISCODK true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://185.196.11.237:9697/f002171ab05c7/9xqdctgg.ir1fr true unknown