Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1499938
MD5: 61d31fb13c1dd46fcb03caf7f648508c
SHA1: ecd46d1e09bdfa50c1587690e70262bc14ba751c
SHA256: 6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc
Tags: exe
Infos:

Detection

RHADAMANTHYS, XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected RHADAMANTHYS Stealer
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: Dllhost Internet Connection
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Rhadamanthys According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
 https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys
Name Description Attribution Blogpost URLs Link
XWorm Malware with wide range of capabilities ranging from RAT to ransomware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\cfi Avira: detection malicious, Label: HEUR/AGEN.1305769
Source: C:\Users\user\AppData\Local\Temp\tqco Avira: detection malicious, Label: HEUR/AGEN.1305769
Found malware configuration
Source: 00000020.00000002.1996496863.00000000052DB000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud"}
Source: 00000019.00000002.3766821762.00000000029A1000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": "https://pastebin.com/raw/jxfGm9Pc", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\cfi Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\tqco Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack String decryptor: https://pastebin.com/raw/jxfGm9Pc
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack String decryptor: <123456789>
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack String decryptor: <Xwormmm>
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack String decryptor: V3
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack String decryptor: USB.exe
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218A2258 CryptUnprotectData, 17_3_00007DF4218A2258

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 23.2.cmd.exe.34407f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.cmd.exe.5152b57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.cmd.exe.53fcb57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.cmd.exe.510da8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.SendBugReportNew.exe.2ec65ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.cmd.exe.53fd757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.cmd.exe.52e1a8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.cmd.exe.53b7a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.cmd.exe.5327757.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.SendBugReportNew.exe.2ec59ce.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.cmd.exe.5326b57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.cmd.exe.5153757.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.SendBugReportNew.exe.2e80901.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000002.1996496863.00000000052DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.1720054061.0000000003440000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.1720436187.00000000053B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SendBugReportNew.exe PID: 7368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmd.exe PID: 7596, type: MEMORYSTR
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.7:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49760 version: TLS 1.2
Source: Binary string: wkernel32.pdb source: V3.exe, 0000000A.00000003.1325524956.00000000046F0000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325445545.00000000010D0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329816616.0000000004CF0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329733550.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: V3.exe, 0000000A.00000003.1325726282.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325910067.0000000004890000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1330348319.0000000004DF0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1330078113.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: V3.exe, 0000000A.00000003.1324630716.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1324825043.0000000004860000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1328177048.0000000004DC0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1327943327.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: SendBugReportNew.exe, 00000009.00000002.1404881982.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404526602.000000000306B000.00000004.00000020.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325063351.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325220783.0000000004810000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329265416.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329541832.0000000004D70000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686777775.0000000004D58000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1687023022.00000000051F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: V3.exe, 0000000A.00000003.1324630716.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1324825043.0000000004860000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1328177048.0000000004DC0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1327943327.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: SendBugReportNew.exe, 00000009.00000002.1404881982.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404526602.000000000306B000.00000004.00000020.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325063351.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325220783.0000000004810000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329265416.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329541832.0000000004D70000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686777775.0000000004D58000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1687023022.00000000051F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: wmplayer.exe
Source: Binary string: wkernel32.pdbUGP source: V3.exe, 0000000A.00000003.1325524956.00000000046F0000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325445545.00000000010D0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329816616.0000000004CF0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329733550.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: V3.exe, 0000000A.00000003.1325726282.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325910067.0000000004890000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1330348319.0000000004DF0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1330078113.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Windows\System32\OpenWith.exe Directory queried: number of queries: 1001
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 7_2_0040301A
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 7_2_00402B79
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_2_00C8A165 FindFirstFileExW, 10_2_00C8A165
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\OpenWith.exe Code function: 4x nop then dec esp 17_3_00007DF4218AE261
Source: C:\Windows\System32\OpenWith.exe Code function: 4x nop then dec esp 17_2_000001F664380511
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 4x nop then dec esp 26_2_00000230766F5641

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:2047 -> 192.168.2.7:49706
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:2047 -> 192.168.2.7:49723
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49724
Source: Network traffic Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 85.209.133.150:6677 -> 192.168.2.7:49726
Source: Network traffic Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 85.209.133.150:6677 -> 192.168.2.7:49726
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49728
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:2047 -> 192.168.2.7:49722
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49727
Source: Network traffic Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49726 -> 85.209.133.150:6677
Source: Network traffic Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.7:49726 -> 85.209.133.150:6677
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49738
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49741
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49732
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49743
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49740
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49746
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49751
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49742
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49733
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49756
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49758
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49736
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49753
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49749
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49748
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49760
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49750
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49739
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49759
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49752
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49747
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49734
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49737
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49755
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49745
Source: Network traffic Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49726 -> 85.209.133.150:6677
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49744
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49735
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49754
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 154.216.19.149:443 -> 192.168.2.7:49757
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://pastebin.com/raw/jxfGm9Pc
Source: Malware configuration extractor URLs: https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: pastebin.com
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 154.216.19.149 ports 0,2,443,4,2047,7
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49706 -> 154.216.19.149:2047
Source: global traffic TCP traffic: 192.168.2.7:49726 -> 85.209.133.150:6677
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /raw/jxfGm9Pc HTTP/1.1Host: pastebin.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.20.4.235 104.20.4.235
Source: Joe Sandbox View IP Address: 104.20.4.235 104.20.4.235
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SKHT-ASShenzhenKatherineHengTechnologyInformationCo SKHT-ASShenzhenKatherineHengTechnologyInformationCo
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CMCSUS CMCSUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 154.216.19.149:2047 -> 192.168.2.7:49723
Source: Network traffic Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 154.216.19.149:2047 -> 192.168.2.7:49722
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: unknown TCP traffic detected without corresponding DNS query: 154.216.19.149
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218D4520 WSARecv, 17_3_00007DF4218D4520
Source: global traffic HTTP traffic detected: GET /raw/jxfGm9Pc HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: time.windows.com
Source: global traffic DNS traffic detected: DNS query: pastebin.com
Source: SendBugReportNew.exe, 00000009.00000002.1404127146.0000000002D49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://c0rl.m%L
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404127146.0000000002D49000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://s.symcd.com06
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000000.1290343124.0000000000401000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E23000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.00000000050BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: SendBugReportNew.exe, 00000009.00000002.1404127146.0000000002D49000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: OpenWith.exe, OpenWith.exe, 00000011.00000003.1505283509.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1677547052.000001F6663D7000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1498738651.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1511247150.000001F6663E4000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1495447075.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501372188.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1504313864.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1494409589.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1496020851.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1496455071.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1494693265.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud
Source: OpenWith.exe, 0000000D.00000002.1394086131.00000000026EC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud(
Source: OpenWith.exe, 0000000D.00000003.1393605091.0000000004F54000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1393605091.0000000004F58000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000002.1394825096.0000000004F59000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifudkernelbasentdllkernel32GetProcessMitigationP
Source: OpenWith.exe, 00000011.00000003.1545991978.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501094672.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1556366377.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1507797611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501856862.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1539955152.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1551283365.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1495610611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1544923206.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1557954411.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1541801059.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502193124.000001F666877000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: OpenWith.exe, 00000011.00000003.1545991978.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501094672.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1556366377.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1507797611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501856862.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1539955152.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1551283365.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1495610611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1544923206.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1557954411.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1541801059.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502193124.000001F666877000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OpenWith.exe, 00000011.00000003.1545991978.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501094672.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1556366377.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1507797611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501856862.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1539955152.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1551283365.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1544923206.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1557954411.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1541801059.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502193124.000001F666877000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.sea
Source: OpenWith.exe, 00000011.00000003.1495610611.000001F666877000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OpenWith.exe, 00000011.00000003.1545991978.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501094672.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1556366377.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1507797611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501856862.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1539955152.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1551283365.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1495610611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1544923206.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1557954411.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1541801059.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502193124.000001F666877000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0.
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: OpenWith.exe, 00000011.00000003.1505283509.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91
Source: OpenWith.exe, 00000011.00000003.1504313864.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502338268.000001F66667B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: OpenWith.exe, 00000011.00000003.1504313864.000001F6663DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201691ad-216
Source: SendBugReportNew.exe, 00000009.00000002.1404127146.0000000002D49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.c
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: OpenWith.exe, 00000011.00000003.1545991978.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501094672.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1556366377.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1507797611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1501856862.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1539955152.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1551283365.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1495610611.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1544923206.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1557954411.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1541801059.000001F666877000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1502193124.000001F666877000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000000.1290343124.0000000000401000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: https://www.iobit.com/en/privacy.phpOpenU
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.7:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49727 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49756 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49759 version: TLS 1.2
Source: unknown HTTPS traffic detected: 154.216.19.149:443 -> 192.168.2.7:49760 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: V3.exe, 0000000A.00000003.1325726282.0000000004670000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DirectInput8Create memstr_c02683ce-3
Installs a raw input device (often for capturing keystrokes)
Source: V3.exe, 0000000A.00000003.1325726282.0000000004670000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_e06d1c42-3
Yara detected Keylogger Generic
Source: Yara match File source: 13.3.OpenWith.exe.4bd0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.V3.exe.4890000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.OpenWith.exe.4df0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.V3.exe.4670000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.OpenWith.exe.4df0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000003.1330348319.0000000004DF0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1325910067.0000000004890000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1325726282.0000000004670000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.1330078113.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SendBugReportNew.exe PID: 7368, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: V3.exe PID: 7404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: OpenWith.exe PID: 7560, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 23.2.cmd.exe.34407f8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 14.2.cmd.exe.5152b57.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.cmd.exe.53fcb57.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 14.2.cmd.exe.59800c8.8.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 14.2.cmd.exe.510da8a.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.SendBugReportNew.exe.2ec65ce.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 36.2.MSBuild.exe.150000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 23.2.cmd.exe.53fd757.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 32.2.cmd.exe.52e1a8a.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 23.2.cmd.exe.53b7a8a.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 32.2.cmd.exe.31c00c8.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 32.2.cmd.exe.5327757.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.SendBugReportNew.exe.2ec59ce.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 32.2.cmd.exe.5326b57.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.5153757.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 9.2.SendBugReportNew.exe.2e80901.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000020.00000002.1996059413.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000E.00000002.1687453554.0000000005980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000024.00000002.1997258638.0000000000152000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\tqco, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\cfi, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_000001F665D830C7 RtlAllocateHeap,RtlAllocateHeap,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,RtlDeleteBoundaryDescriptor,RtlDeleteBoundaryDescriptor, 17_3_000001F665D830C7
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218AC10C NtAcceptConnectPort, 17_3_00007DF4218AC10C
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218AD2F4 NtAcceptConnectPort,NtAcceptConnectPort, 17_3_00007DF4218AD2F4
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218AC47C NtAcceptConnectPort, 17_3_00007DF4218AC47C
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218AB498 NtAcceptConnectPort,_calloc_dbg,DuplicateHandle,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort, 17_3_00007DF4218AB498
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218AD3C0 NtAcceptConnectPort,NtAcceptConnectPort, 17_3_00007DF4218AD3C0
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218AC70C NtAcceptConnectPort, 17_3_00007DF4218AC70C
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218AC7CC NtAcceptConnectPort, 17_3_00007DF4218AC7CC
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218AAD14 NtAcceptConnectPort, 17_3_00007DF4218AAD14
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218AACC8 NtAcceptConnectPort, 17_3_00007DF4218AACC8
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218ABCC0 RtlDosPathNameToNtPathName_U,NtAcceptConnectPort,NtAcceptConnectPort,??3@YAXPEAX@Z, 17_3_00007DF4218ABCC0
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218AACE8 NtAcceptConnectPort, 17_3_00007DF4218AACE8
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218AAC0C NtAcceptConnectPort, 17_3_00007DF4218AAC0C
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218AAF40 NtAcceptConnectPort, 17_3_00007DF4218AAF40
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218AAF60 NtAcceptConnectPort, 17_3_00007DF4218AAF60
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218ABE6C NtAcceptConnectPort, 17_3_00007DF4218ABE6C
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218AAE5C NtAcceptConnectPort, 17_3_00007DF4218AAE5C
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218AADD4 NtAcceptConnectPort, 17_3_00007DF4218AADD4
Source: C:\Windows\System32\OpenWith.exe Code function: 17_2_000001F664381A90 NtAcceptConnectPort,NtAcceptConnectPort,RtlAddVectoredExceptionHandler, 17_2_000001F664381A90
Source: C:\Windows\System32\OpenWith.exe Code function: 17_2_000001F664380AC8 NtAcceptConnectPort,NtAcceptConnectPort, 17_2_000001F664380AC8
Source: C:\Windows\System32\OpenWith.exe Code function: 17_2_000001F664381CD0 RtlAllocateHeap,NtAcceptConnectPort,FindCloseChangeNotification, 17_2_000001F664381CD0
Source: C:\Windows\System32\OpenWith.exe Code function: 17_2_000001F6643815AC NtAcceptConnectPort, 17_2_000001F6643815AC
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_3_00007DF4ADB71CE8 _calloc_dbg,CreateProcessW,NtResumeThread,FindCloseChangeNotification,??3@YAXPEAX@Z, 26_3_00007DF4ADB71CE8
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_3_00007DF4ADB71958 _calloc_dbg,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 26_3_00007DF4ADB71958
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076702418 NtAcceptConnectPort, 26_2_0000023076702418
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_000002307670288C NtAcceptConnectPort, 26_2_000002307670288C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_00000230767028E8 NtAcceptConnectPort, 26_2_00000230767028E8
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_00000230767028B8 NtAcceptConnectPort, 26_2_00000230767028B8
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076702990 NtAcceptConnectPort, 26_2_0000023076702990
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_00000230767029D4 NtAcceptConnectPort, 26_2_00000230767029D4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_00000230767027B8 NtAcceptConnectPort, 26_2_00000230767027B8
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076702C64 NtAcceptConnectPort, 26_2_0000023076702C64
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_000002307670252C NtAcceptConnectPort, 26_2_000002307670252C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_00007DF4ADB71E64 CreateProcessW,NtResumeThread,FindCloseChangeNotification, 26_2_00007DF4ADB71E64
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_00007DF4ADB7199C NtQueryInformationProcess,NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory, 26_2_00007DF4ADB7199C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_00007DF4ADB82704 NtQuerySystemInformation,??3@YAXPEAX@Z,_malloc_dbg,NtQuerySystemInformation, 26_2_00007DF4ADB82704
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF5385C NtQuerySystemInformation, 27_2_00000213BBF5385C
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_00404FAA 7_2_00404FAA
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_0041206B 7_2_0041206B
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_0041022D 7_2_0041022D
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_00411F91 7_2_00411F91
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_2_00C90BC1 10_2_00C90BC1
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_000001F665D824F7 17_3_000001F665D824F7
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_000001F665D85E7C 17_3_000001F665D85E7C
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_000001F665D8557C 17_3_000001F665D8557C
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_000001F665D858FC 17_3_000001F665D858FC
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_000001F665D81BA6 17_3_000001F665D81BA6
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_000001F665D8279C 17_3_000001F665D8279C
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_000001F665D84A38 17_3_000001F665D84A38
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_000001F665D82C3C 17_3_000001F665D82C3C
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218DB104 17_3_00007DF4218DB104
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF421882634 17_3_00007DF421882634
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF42194A168 17_3_00007DF42194A168
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218F20BC 17_3_00007DF4218F20BC
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218CF02C 17_3_00007DF4218CF02C
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF421881058 17_3_00007DF421881058
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF42196AF80 17_3_00007DF42196AF80
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218FCFB4 17_3_00007DF4218FCFB4
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF42197BFCC 17_3_00007DF42197BFCC
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF42196B318 17_3_00007DF42196B318
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4219772C8 17_3_00007DF4219772C8
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF42191E24C 17_3_00007DF42191E24C
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218D2524 17_3_00007DF4218D2524
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF42196A4A0 17_3_00007DF42196A4A0
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF421968474 17_3_00007DF421968474
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218E93F4 17_3_00007DF4218E93F4
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218C43F8 17_3_00007DF4218C43F8
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218DA430 17_3_00007DF4218DA430
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF42195A3D4 17_3_00007DF42195A3D4
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218CF3B8 17_3_00007DF4218CF3B8
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218E96E0 17_3_00007DF4218E96E0
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF42188F624 17_3_00007DF42188F624
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218DD594 17_3_00007DF4218DD594
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218E95D0 17_3_00007DF4218E95D0
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218D75E4 17_3_00007DF4218D75E4
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218A996C 17_3_00007DF4218A996C
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF42189F95C 17_3_00007DF42189F95C
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF42196A8BC 17_3_00007DF42196A8BC
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218DB7B8 17_3_00007DF4218DB7B8
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF42189FB24 17_3_00007DF42189FB24
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF42196FB04 17_3_00007DF42196FB04
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF42197CB04 17_3_00007DF42197CB04
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218E9B38 17_3_00007DF4218E9B38
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218D9B70 17_3_00007DF4218D9B70
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218CFA94 17_3_00007DF4218CFA94
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218F9AE0 17_3_00007DF4218F9AE0
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218DCA38 17_3_00007DF4218DCA38
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4219669A8 17_3_00007DF4219669A8
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF42189D9F0 17_3_00007DF42189D9F0
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF421885C24 17_3_00007DF421885C24
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF421926C60 17_3_00007DF421926C60
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218EDC54 17_3_00007DF4218EDC54
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF42195EBE4 17_3_00007DF42195EBE4
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218B0F04 17_3_00007DF4218B0F04
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218B9F4C 17_3_00007DF4218B9F4C
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF421969F68 17_3_00007DF421969F68
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF42196AE00 17_3_00007DF42196AE00
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF421891E54 17_3_00007DF421891E54
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF421976DAC 17_3_00007DF421976DAC
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF421963D84 17_3_00007DF421963D84
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218CFDE0 17_3_00007DF4218CFDE0
Source: C:\Windows\System32\OpenWith.exe Code function: 17_2_000001F664380C5C 17_2_000001F664380C5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00D47068 25_2_00D47068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00D4B550 25_2_00D4B550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00D46798 25_2_00D46798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00D46450 25_2_00D46450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00D40C10 25_2_00D40C10
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_3_00007DF4ADB74EFC 26_3_00007DF4ADB74EFC
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_3_00007DF4ADB7392C 26_3_00007DF4ADB7392C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_3_00007DF4ADB72204 26_3_00007DF4ADB72204
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_00000230766FC25C 26_2_00000230766FC25C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076702D24 26_2_0000023076702D24
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_00000230766F2628 26_2_00000230766F2628
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076707270 26_2_0000023076707270
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076730270 26_2_0000023076730270
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076724A50 26_2_0000023076724A50
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076733A4D 26_2_0000023076733A4D
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076723A38 26_2_0000023076723A38
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076705ADC 26_2_0000023076705ADC
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_000002307670E398 26_2_000002307670E398
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_000002307672CC00 26_2_000002307672CC00
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076717094 26_2_0000023076717094
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076730874 26_2_0000023076730874
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_000002307671D854 26_2_000002307671D854
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076725918 26_2_0000023076725918
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_00000230767248D0 26_2_00000230767248D0
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_000002307672E984 26_2_000002307672E984
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076710174 26_2_0000023076710174
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_000002307672F940 26_2_000002307672F940
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_000002307672F1D0 26_2_000002307672F1D0
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076713EA4 26_2_0000023076713EA4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076717684 26_2_0000023076717684
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076706F24 26_2_0000023076706F24
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076725EC8 26_2_0000023076725EC8
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_00000230767186B4 26_2_00000230767186B4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_000002307670BEB8 26_2_000002307670BEB8
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076723F70 26_2_0000023076723F70
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_000002307670C750 26_2_000002307670C750
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_000002307670D010 26_2_000002307670D010
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_000002307672A81C 26_2_000002307672A81C
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076720478 26_2_0000023076720478
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076736434 26_2_0000023076736434
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076716D18 26_2_0000023076716D18
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_000002307670DCE4 26_2_000002307670DCE4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_000002307672ECE4 26_2_000002307672ECE4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_00000230766F14D0 26_2_00000230766F14D0
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076730D90 26_2_0000023076730D90
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_000002307670F618 26_2_000002307670F618
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_0000023076724DE8 26_2_0000023076724DE8
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_00000230767295D4 26_2_00000230767295D4
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_00000230767255B0 26_2_00000230767255B0
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_00007DF4ADB722CC 26_2_00007DF4ADB722CC
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF5737C 27_2_00000213BBF5737C
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF73B40 27_2_00000213BBF73B40
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF7C2EC 27_2_00000213BBF7C2EC
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF692D4 27_2_00000213BBF692D4
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF72AA0 27_2_00000213BBF72AA0
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF72254 27_2_00000213BBF72254
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF73210 27_2_00000213BBF73210
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF69998 27_2_00000213BBF69998
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF68980 27_2_00000213BBF68980
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF74144 27_2_00000213BBF74144
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF6A860 27_2_00000213BBF6A860
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF69818 27_2_00000213BBF69818
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF5BFE4 27_2_00000213BBF5BFE4
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF627A4 27_2_00000213BBF627A4
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF6F76C 27_2_00000213BBF6F76C
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF6AF55 27_2_00000213BBF6AF55
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF68EB8 27_2_00000213BBF68EB8
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF7C668 27_2_00000213BBF7C668
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF74660 27_2_00000213BBF74660
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF5D604 27_2_00000213BBF5D604
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF6AE10 27_2_00000213BBF6AE10
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF58DF4 27_2_00000213BBF58DF4
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF5C5D4 27_2_00000213BBF5C5D4
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF725B4 27_2_00000213BBF725B4
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF69D30 27_2_00000213BBF69D30
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF7B516 27_2_00000213BBF7B516
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF6E51C 27_2_00000213BBF6E51C
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF6A4F8 27_2_00000213BBF6A4F8
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF7C500 27_2_00000213BBF7C500
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF5BC68 27_2_00000213BBF5BC68
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF653C8 27_2_00000213BBF653C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 36_2_00A20C0C 36_2_00A20C0C
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe D76D0650B630FDB70756A446E0A43672B5DA1C2A74014118B02133923305DA9A
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\vcl120.bpl CCCCADDE7393F1B624CDE32B38274E60BBE65B1769D614D129BABDAEEF9A6715
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0040243B appears 37 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000007.00000003.1288778796.0000000002440000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSendBugReportNew.exe8 vs file.exe
Source: file.exe, 00000007.00000002.1407887534.000000000062C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSe vs file.exe
Source: file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: LegalTrademarks OriginalFileName vs file.exe
Source: file.exe, 00000007.00000003.1288442437.00000000026C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSendBugReportNew.exe8 vs file.exe
Source: file.exe, 00000007.00000000.1278151691.0000000000432000.00000002.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs file.exe
Source: file.exe, 00000007.00000003.1280929299.00000000024CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs file.exe
Source: file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRTL120.BPLR vs file.exe
Source: file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameVCL120.BPLR vs file.exe
Source: file.exe, 00000007.00000003.1286758641.00000000028C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameVCLX120.BPLR vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 23.2.cmd.exe.34407f8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 14.2.cmd.exe.5152b57.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.cmd.exe.53fcb57.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 14.2.cmd.exe.59800c8.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 14.2.cmd.exe.510da8a.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.SendBugReportNew.exe.2ec65ce.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 36.2.MSBuild.exe.150000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 23.2.cmd.exe.53fd757.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 32.2.cmd.exe.52e1a8a.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 23.2.cmd.exe.53b7a8a.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 32.2.cmd.exe.31c00c8.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 32.2.cmd.exe.5327757.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.SendBugReportNew.exe.2ec59ce.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 32.2.cmd.exe.5326b57.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.5153757.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 9.2.SendBugReportNew.exe.2e80901.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000020.00000002.1996059413.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000E.00000002.1687453554.0000000005980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000024.00000002.1997258638.0000000000152000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\tqco, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\cfi, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: cfi.14.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: cfi.14.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: cfi.14.dr, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: tqco.32.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: tqco.32.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: tqco.32.dr, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: cfi.14.dr, Settings.cs Base64 encoded string: 'uDpIC5MhbQNlej6TZZrfiJZ00Nkd8jMct6g0aqeBCrxvUUIVRc5gpzZjeJYcaFsi'
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, Settings.cs Base64 encoded string: 'uDpIC5MhbQNlej6TZZrfiJZ00Nkd8jMct6g0aqeBCrxvUUIVRc5gpzZjeJYcaFsi'
Source: tqco.32.dr, Settings.cs Base64 encoded string: 'uDpIC5MhbQNlej6TZZrfiJZ00Nkd8jMct6g0aqeBCrxvUUIVRc5gpzZjeJYcaFsi'
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, Settings.cs Base64 encoded string: 'uDpIC5MhbQNlej6TZZrfiJZ00Nkd8jMct6g0aqeBCrxvUUIVRc5gpzZjeJYcaFsi'
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: tqco.32.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: tqco.32.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: cfi.14.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: cfi.14.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 17.3.OpenWith.exe.1f6665ad970.3.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 17.3.OpenWith.exe.1f6665ad970.5.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 17.3.OpenWith.exe.1f6665ad970.0.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 17.3.OpenWith.exe.1f6665ad970.1.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 17.2.OpenWith.exe.1f6665ad970.2.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 17.3.OpenWith.exe.1f6665ad970.2.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 17.3.OpenWith.exe.1f6665ad970.4.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winEXE@28/14@2/3
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree, 7_2_00407776
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_0040118A GetDiskFreeSpaceExW,SendMessageW, 7_2_0040118A
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF421882634 CreateToolhelp32Snapshot,Thread32First,Thread32Next,FindCloseChangeNotification,SuspendThread, 17_3_00007DF421882634
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z, 7_2_004034C1
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress, 7_2_00401BDF
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe File created: C:\Users\user\AppData\Roaming\Javaoraclev4 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Mutant created: \Sessions\1\BaseNamedObjects\TN3sSNYI1fDMFOs2
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4016:120:WilError_03
Source: C:\Windows\SysWOW64\OpenWith.exe Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user~1\AppData\Local\Temp\mvyvk Jump to behavior
Source: Yara match File source: 9.2.SendBugReportNew.exe.50000000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000003.1286758641.00000000026C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1405996378.0000000050001000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\rtl120.bpl, type: DROPPED
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: OpenWith.exe, 00000011.00000003.1737822695.000001F666418000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: OpenWith.exe, 00000011.00000003.1737822695.000001F666418000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: OpenWith.exe, 00000011.00000003.1737822695.000001F666418000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: OpenWith.exe, 00000011.00000003.1737822695.000001F666418000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: OpenWith.exe, 00000011.00000003.1737822695.000001F666418000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: OpenWith.exe, 00000011.00000003.1737822695.000001F666418000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: OpenWith.exe, 00000011.00000003.1502193124.000001F666866000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: OpenWith.exe, 00000011.00000003.1737822695.000001F666418000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe "C:\Users\user~1\AppData\Local\Temp\SendBugReportNew.exe"
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Process created: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\OpenWith.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe "C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe"
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe"
Source: C:\Program Files\Windows Media Player\wmplayer.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe "C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe"
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe "C:\Users\user~1\AppData\Local\Temp\SendBugReportNew.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Process created: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: msftedit.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: comsvcs.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmlua.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmutil.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: oledlg.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: pla.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: pdh.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: tdh.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: wevtapi.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: uhlqevxks.14.dr LNK file: ..\..\..\..\user\AppData\Local\Temp\SendBugReportNew.exe
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Windows\SysWOW64\msftedit.dll
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook Jump to behavior
Source: file.exe Static file information: File size 2594056 > 1048576
Source: Binary string: wkernel32.pdb source: V3.exe, 0000000A.00000003.1325524956.00000000046F0000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325445545.00000000010D0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329816616.0000000004CF0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329733550.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: V3.exe, 0000000A.00000003.1325726282.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325910067.0000000004890000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1330348319.0000000004DF0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1330078113.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: V3.exe, 0000000A.00000003.1324630716.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1324825043.0000000004860000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1328177048.0000000004DC0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1327943327.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: SendBugReportNew.exe, 00000009.00000002.1404881982.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404526602.000000000306B000.00000004.00000020.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325063351.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325220783.0000000004810000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329265416.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329541832.0000000004D70000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686777775.0000000004D58000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1687023022.00000000051F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: V3.exe, 0000000A.00000003.1324630716.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1324825043.0000000004860000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1328177048.0000000004DC0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1327943327.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: SendBugReportNew.exe, 00000009.00000002.1404881982.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, SendBugReportNew.exe, 00000009.00000002.1404526602.000000000306B000.00000004.00000020.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325063351.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325220783.0000000004810000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329265416.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329541832.0000000004D70000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1686777775.0000000004D58000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1687023022.00000000051F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: wmplayer.exe
Source: Binary string: wkernel32.pdbUGP source: V3.exe, 0000000A.00000003.1325524956.00000000046F0000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325445545.00000000010D0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329816616.0000000004CF0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1329733550.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: V3.exe, 0000000A.00000003.1325726282.0000000004670000.00000004.00000001.00020000.00000000.sdmp, V3.exe, 0000000A.00000003.1325910067.0000000004890000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1330348319.0000000004DF0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000D.00000003.1330078113.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: cfi.14.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: cfi.14.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: tqco.32.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: tqco.32.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: cfi.14.dr, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: cfi.14.dr, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: cfi.14.dr, Messages.cs .Net Code: Memory
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 14.2.cmd.exe.59800c8.8.raw.unpack, Messages.cs .Net Code: Memory
Source: 17.3.OpenWith.exe.1f6665ad970.1.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 17.3.OpenWith.exe.1f6665ad970.1.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 17.3.OpenWith.exe.1f6665ad970.4.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 17.3.OpenWith.exe.1f6665ad970.4.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 17.3.OpenWith.exe.1f6665ad970.0.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 17.3.OpenWith.exe.1f6665ad970.0.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 17.2.OpenWith.exe.1f6665ad970.2.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 17.2.OpenWith.exe.1f6665ad970.2.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 17.3.OpenWith.exe.1f6665ad970.5.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 17.3.OpenWith.exe.1f6665ad970.5.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 17.2.OpenWith.exe.1f665dac830.1.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 17.2.OpenWith.exe.1f665dac830.1.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 17.3.OpenWith.exe.1f6665ad970.3.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 17.3.OpenWith.exe.1f6665ad970.3.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 17.3.OpenWith.exe.1f6665ad970.2.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 17.3.OpenWith.exe.1f6665ad970.2.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: tqco.32.dr, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: tqco.32.dr, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: tqco.32.dr, Messages.cs .Net Code: Memory
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 32.2.cmd.exe.31c00c8.0.raw.unpack, Messages.cs .Net Code: Memory
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow, 7_2_00406D5D
PE file contains an invalid checksum
Source: rtl120.bpl.7.dr Static PE information: real checksum: 0x11a2e4 should be: 0x11ae83
Source: V3.exe.9.dr Static PE information: real checksum: 0x0 should be: 0x6f036
Source: tqco.32.dr Static PE information: real checksum: 0x0 should be: 0x12550
Source: file.exe Static PE information: real checksum: 0x33302 should be: 0x27fe33
Source: cfi.14.dr Static PE information: real checksum: 0x0 should be: 0x12550
PE file contains sections with non-standard names
Source: V3.exe.9.dr Static PE information: section name: .textbss
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_00411C20 push eax; ret 7_2_00411C4E
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_3_00C96A80 push edx; ret 10_3_00C96A81
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_3_00C94C95 push es; retf 10_3_00C94C91
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_3_00C95E69 push ebx; iretd 10_3_00C95E6A
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_3_00C94C62 push es; retf 10_3_00C94C91
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_3_00C961E2 push eax; retf 10_3_00C961F1
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_3_00C947A2 push ebp; iretd 10_3_00C947A3
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_3_00C92F50 push eax; retf 10_3_00C92F51
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_3_00C94170 push ecx; iretd 10_3_00C9417C
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_3_00C96777 push esi; ret 10_3_00C96782
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_3_00C94130 pushad ; ret 10_3_00C94138
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_2_00C3C01A push ds; iretd 10_2_00C3C036
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_2_00C912F4 push ecx; ret 10_2_00C91307
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_2_00C31436 push ds; retf 10_2_00C3143B
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_2_00C3E5F8 push ebx; ret 10_2_00C3E5F9
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 13_3_02724262 push eax; retf 13_3_02724271
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 13_3_02722822 push ebp; iretd 13_3_02722823
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 13_3_02722CE2 push es; retf 13_3_02722D11
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 13_3_02723EE9 push ebx; iretd 13_3_02723EEA
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 13_3_02722D15 push es; retf 13_3_02722D11
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 13_3_02724B00 push edx; ret 13_3_02724B01
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 13_3_027221F0 push ecx; iretd 13_3_027221FC
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 13_3_027247F7 push esi; ret 13_3_02724802
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 13_3_02720FD0 push eax; retf 13_3_02720FD1
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 13_3_027221B0 pushad ; ret 13_3_027221B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00D451C8 pushad ; ret 25_2_00D451C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00D45474 pushfd ; ret 25_2_00D45475
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00D439E8 push ebx; retf 25_2_00D43ADA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 25_2_00D43A18 push ebx; retf 25_2_00D43ADA
Source: C:\Windows\System32\dllhost.exe Code function: 27_2_00000213BBF50B44 push ss; ret 27_2_00000213BBF50B46
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\cfi Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\vcl120.bpl Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\tqco Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\vclx120.bpl Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\rtl120.bpl Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe File created: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\rtl120.bpl Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\vcl120.bpl Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\vclx120.bpl Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\cfi Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\tqco Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\CFI
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\TQCO
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe API/Special instruction interceptor: Address: 6D1F7C44
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe API/Special instruction interceptor: Address: 7FFB2CECD044
Source: C:\Windows\SysWOW64\OpenWith.exe API/Special instruction interceptor: Address: 7FFB2CECD044
Source: C:\Windows\SysWOW64\OpenWith.exe API/Special instruction interceptor: Address: 4DDA83A
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe API/Special instruction interceptor: Address: 6D1F7945
Source: C:\Windows\SysWOW64\cmd.exe API/Special instruction interceptor: Address: 6D1F3B54
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: OpenWith.exe, 0000000D.00000002.1394433791.0000000004480000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: PROCESSHACKER.EXE
Source: OpenWith.exe, 0000000D.00000002.1394433791.0000000004480000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: OpenWith.exe, 0000000D.00000002.1394433791.0000000004480000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OLLYDBG.EXE
Source: OpenWith.exe, 0000000D.00000002.1394433791.0000000004480000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHACKER.EXEIDAQ64.
Source: OpenWith.exe, 0000000D.00000002.1394433791.0000000004480000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X64DBG.EXE
Source: OpenWith.exe, 0000000D.00000002.1394433791.0000000004480000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AP.EXEDE4DOT.EXEHOOKEXPLORER.EXEILSPY.EXELORDP
Source: OpenWith.exe, 0000000D.00000002.1394433791.0000000004480000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WINDUMP.EXE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: D40000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 29A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 28C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: A20000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2400000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 2200000 memory reserve | memory write watch
Contains functionality to query network adapater information
Source: C:\Windows\System32\dllhost.exe Code function: GetAdaptersInfo, 27_2_00000213BBF52AC4
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 6317 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Window / User API: threadDelayed 3408 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cfi Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tqco Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2864 Thread sleep time: -19369081277395017s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1848 Thread sleep count: 6317 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1848 Thread sleep count: 3408 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7396 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 7_2_0040301A
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 7_2_00402B79
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_2_00C8A165 FindFirstFileExW, 10_2_00C8A165
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218822DC GetSystemInfo,VirtualAlloc, 17_3_00007DF4218822DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: SendBugReportNew.exe, 00000009.00000002.1404127146.0000000002D49000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6vmware
Source: cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: OpenWith.exe, 0000000D.00000003.1330078113.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: OpenWith.exe, 0000000D.00000002.1394291501.0000000002A5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: cmd.exe, 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: OpenWith.exe, 0000000D.00000002.1394291501.0000000002A98000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: OpenWith.exe, 0000000D.00000003.1330078113.0000000004BD0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: MSBuild.exe, 00000019.00000002.3765090379.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: OpenWith.exe, 00000011.00000003.1444820986.000001F6663B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkmbolicLinkSymbolicLink)
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_2_00C89AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00C89AB4
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow, 7_2_00406D5D
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_3_00C92277 mov eax, dword ptr fs:[00000030h] 10_3_00C92277
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_2_00C92277 mov eax, dword ptr fs:[00000030h] 10_2_00C92277
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 13_3_02720283 mov eax, dword ptr fs:[00000030h] 13_3_02720283
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_2_00C84E5A GetProcessHeap,RtlAllocateHeap,GetModuleFileNameW,_wcsrchr,lstrlenW,GetProcessHeap,RtlFreeHeap,MulDiv, 10_2_00C84E5A
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_2_00C89AB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00C89AB4
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_2_00C85A33 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 10_2_00C85A33
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Code function: 10_2_00C855A9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00C855A9
Source: C:\Windows\System32\OpenWith.exe Code function: 17_2_000001F664381A90 NtAcceptConnectPort,NtAcceptConnectPort,RtlAddVectoredExceptionHandler, 17_2_000001F664381A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Program Files\Windows Media Player\wmplayer.exe Memory allocated: C:\Windows\System32\dllhost.exe base: 213BBF50000 protect: page read and write Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe NtQuerySystemInformation: Direct from: 0x777563E1
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6B7B1000 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9A6008 Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Memory written: C:\Windows\System32\dllhost.exe base: 213BBF50000 Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Memory written: C:\Windows\System32\dllhost.exe base: 7FF7D87314E0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6B7B1000
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 3C9008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe "C:\Users\user~1\AppData\Local\Temp\SendBugReportNew.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Process created: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\wmplayer.exe "C:\Program Files\Windows Media Player\wmplayer.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\SendBugReportNew.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_0040D72E cpuid 7_2_0040D72E
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar, 7_2_00401F9D
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\System32\OpenWith.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\Windows Media Player\wmplayer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218A1B18 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 17_3_00007DF4218A1B18
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z, 7_2_00401626
Source: C:\Users\user\Desktop\file.exe Code function: 7_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA, 7_2_00404FAA
Source: C:\Windows\SysWOW64\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: OpenWith.exe, 0000000D.00000002.1394433791.0000000004480000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OllyDbg.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 10.2.V3.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.cmd.exe.5152b57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.cmd.exe.53fcb57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.cmd.exe.510da8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.SendBugReportNew.exe.2ec65ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.V3.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.cmd.exe.53fd757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.cmd.exe.52e1a8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.cmd.exe.53b7a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.cmd.exe.5327757.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.SendBugReportNew.exe.2ec59ce.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.cmd.exe.5326b57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.cmd.exe.5153757.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.SendBugReportNew.exe.2e80901.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000002.1996496863.00000000052DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1322328519.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.1720436187.00000000053B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.1326989708.0000000002980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.1297243134.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.1440280085.000001F666614000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.1740003326.000001F666761000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1394467847.0000000004490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1326750391.0000000003E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe, type: DROPPED
Yara detected XWorm
Source: Yara match File source: 32.2.cmd.exe.31c00c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.cmd.exe.59800c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.cmd.exe.59800c8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.MSBuild.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.cmd.exe.31c00c8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000002.1996059413.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3766821762.00000000029D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1687453554.0000000005980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.1997258638.0000000000152000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 7596, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tqco, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\cfi, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: OpenWith.exe, 00000011.00000003.1511323700.000001F6663D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Qtum-Electrum\config
Source: OpenWith.exe, 00000011.00000003.1497516900.000001F66635D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\com.liberty.jaxx
Source: OpenWith.exe, 00000011.00000003.1497516900.000001F66635D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: OpenWith.exe, 00000011.00000003.1497516900.000001F66635D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Exodus
Source: OpenWith.exe, 00000011.00000003.1497516900.000001F66635D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Coinomi\Coinomi\wallets
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\y572q81e.default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\startupCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\6f70cc77-7837-4f44-9c31-7de59e446d67 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\safebrowsing\google4 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings\main Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\safebrowsing Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings\main\ms-language-packs\browser\newtab Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\cache2\doomed Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\thumbnails Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings\main\ms-language-packs Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\cache2 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\settings\main\ms-language-packs\browser Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fu7wner3.default-release\cache2\entries Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Windows\System32\OpenWith.exe Directory queried: number of queries: 1001
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: OpenWith.exe PID: 7724, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 10.2.V3.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.cmd.exe.5152b57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.cmd.exe.53fcb57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.cmd.exe.510da8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.SendBugReportNew.exe.2ec65ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.V3.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.cmd.exe.53fd757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.cmd.exe.52e1a8a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.cmd.exe.53b7a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.cmd.exe.5327757.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.SendBugReportNew.exe.2ec59ce.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.cmd.exe.5326b57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.cmd.exe.5153757.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.SendBugReportNew.exe.2e80901.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000002.1996496863.00000000052DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1404272161.0000000002E7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1322328519.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.1720436187.00000000053B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.1440127395.000001F666561000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.1326989708.0000000002980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.1297243134.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1327837803.0000000000C31000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1686907778.0000000005107000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.1440280085.000001F666614000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.1740003326.000001F666761000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1394467847.0000000004490000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.1326750391.0000000003E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\Javaoraclev4\YIUEROPTJR\V3.exe, type: DROPPED
Yara detected XWorm
Source: Yara match File source: 32.2.cmd.exe.31c00c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.cmd.exe.59800c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.cmd.exe.59800c8.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.MSBuild.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.cmd.exe.31c00c8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000002.1996059413.00000000031C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3766821762.00000000029D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1687453554.0000000005980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.1997258638.0000000000152000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 7596, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tqco, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\cfi, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218D4088 socket,bind, 17_3_00007DF4218D4088
Source: C:\Windows\System32\OpenWith.exe Code function: 17_3_00007DF4218A1B18 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 17_3_00007DF4218A1B18
Source: C:\Program Files\Windows Media Player\wmplayer.exe Code function: 26_2_00000230766FCDF4 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 26_2_00000230766FCDF4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1499938 Sample: file.exe Startdate: 27/08/2024 Architecture: WINDOWS Score: 100 70 pastebin.com 2->70 72 time.windows.com 2->72 88 Suricata IDS alerts for network traffic 2->88 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 96 12 other signatures 2->96 12 file.exe 8 2->12         started        15 SendBugReportNew.exe 2->15         started        18 SendBugReportNew.exe 1 2->18         started        signatures3 94 Connects to a pastebin service (likely for C&C) 70->94 process4 file5 60 C:\Users\user\AppData\Local\...\vclx120.bpl, PE32 12->60 dropped 62 C:\Users\user\AppData\Local\Temp\vcl120.bpl, PE32 12->62 dropped 64 C:\Users\user\AppData\Local\Temp\rtl120.bpl, PE32 12->64 dropped 66 C:\Users\user\...\SendBugReportNew.exe, PE32 12->66 dropped 20 SendBugReportNew.exe 4 12->20         started        124 Maps a DLL or memory area into another process 15->124 126 Found direct / indirect Syscall (likely to bypass EDR) 15->126 24 cmd.exe 15->24         started        26 cmd.exe 18->26         started        signatures6 process7 file8 56 C:\Users\user\AppData\Roaming\...\V3.exe, PE32 20->56 dropped 102 Maps a DLL or memory area into another process 20->102 104 Switches to a custom stack to bypass stack traces 20->104 28 V3.exe 1 20->28         started        31 cmd.exe 4 20->31         started        58 C:\Users\user\AppData\Local\Temp\tqco, PE32 24->58 dropped 106 Writes to foreign memory regions 24->106 34 conhost.exe 24->34         started        36 MSBuild.exe 24->36         started        38 conhost.exe 26->38         started        signatures9 process10 file11 114 Machine Learning detection for dropped file 28->114 116 Switches to a custom stack to bypass stack traces 28->116 40 OpenWith.exe 28->40         started        68 C:\Users\user\AppData\Local\Temp\cfi, PE32 31->68 dropped 118 Writes to foreign memory regions 31->118 120 Found hidden mapped module (file has been removed from disk) 31->120 122 Maps a DLL or memory area into another process 31->122 44 MSBuild.exe 15 2 31->44         started        46 conhost.exe 31->46         started        signatures12 process13 dnsIp14 74 154.216.19.149, 2047, 443, 49706 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 40->74 108 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 40->108 110 Switches to a custom stack to bypass stack traces 40->110 48 OpenWith.exe 40->48         started        76 85.209.133.150, 49726, 6677 CMCSUS Germany 44->76 78 pastebin.com 104.20.4.235, 443, 49725 CLOUDFLARENETUS United States 44->78 112 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->112 signatures15 process16 signatures17 80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 48->80 82 Tries to steal Mail credentials (via file / registry access) 48->82 84 Found many strings related to Crypto-Wallets (likely being stolen) 48->84 86 2 other signatures 48->86 51 wmplayer.exe 48->51         started        process18 signatures19 98 Writes to foreign memory regions 51->98 100 Allocates memory in foreign processes 51->100 54 dllhost.exe 51->54         started        process20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
154.216.19.149
 unknown Seychelles
135357 SKHT-ASShenzhenKatherineHengTechnologyInformationCo true
104.20.4.235
 pastebin.com United States
13335 CLOUDFLARENETUS true
85.209.133.150
 unknown Germany
33657 CMCSUS true

Contacted Domains

Name IP Active
pastebin.com 104.20.4.235 true
time.windows.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://154.216.19.149:2047/888260cc6af8f/07djb4gj.jifud true
  • Avira URL Cloud: safe
 unknown
https://pastebin.com/raw/jxfGm9Pc true
  • Avira URL Cloud: safe
 unknown