Windows Analysis Report
TctqdRX5Wq.exe

Overview

General Information

Sample name: TctqdRX5Wq.exe
renamed because original name is a hash value
Original sample name: 04564c481b2b3c094bef173df90782f6fc83bd7a02c028024676ee1036d8fa1f.exe
Analysis ID: 1526561
MD5: 34ecbd07c675ebc57c044ec300621a2d
SHA1: 348846c91d64300811928ab1db473be7501fc921
SHA256: 04564c481b2b3c094bef173df90782f6fc83bd7a02c028024676ee1036d8fa1f
Tags: exeuser-JAMESWT_MHT
Infos:

Detection

RHADAMANTHYS
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RHADAMANTHYS Stealer
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Dllhost Internet Connection
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic

Classification

Name Description Attribution Blogpost URLs Link
Rhadamanthys According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
 https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.1723676965.0000000003795000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://135.181.4.162:2423/97e9fc994198e76/ok9djscw.jxh0g"}
Multi AV Scanner detection for domain / URL
Source: https://135.181.4.162:2423/97e9fc994198e76/ok9djscw.jxh0g Virustotal: Detection: 11% Perma Link
Multi AV Scanner detection for submitted file
Source: TctqdRX5Wq.exe ReversingLabs: Detection: 76%
Source: TctqdRX5Wq.exe Virustotal: Detection: 72% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F522258 CryptUnprotectData, 12_3_00007DF42F522258
Uses 32bit PE files
Source: TctqdRX5Wq.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49856 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49930 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49973 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:50015 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:50016 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:50017 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:50018 version: TLS 1.2
Source: TctqdRX5Wq.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdby^ source: OpenWith.exe, 0000000C.00000002.2090027335.000001C4B1658000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: OpenWith.exe, 00000006.00000003.1737864385.0000000005300000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1737759699.00000000051E0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: OpenWith.exe, 0000000C.00000002.2090027335.000001C4B1658000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: OpenWith.exe, 0000000C.00000002.2090027335.000001C4B1658000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb2j source: OpenWith.exe, 0000000C.00000002.2090027335.000001C4B1658000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: OpenWith.exe, 00000006.00000003.1738036427.00000000051E0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1738258496.0000000005400000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: OpenWith.exe, 00000006.00000003.1736083769.00000000051E0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1736374528.00000000053D0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: OpenWith.exe, 00000006.00000003.1737123646.00000000051E0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1737430559.0000000005380000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: OpenWith.exe, 00000006.00000003.1736083769.00000000051E0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1736374528.00000000053D0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: OpenWith.exe, 00000006.00000003.1737123646.00000000051E0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1737430559.0000000005380000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: OpenWith.exe, 00000006.00000003.1737864385.0000000005300000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1737759699.00000000051E0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: OpenWith.exe, 00000006.00000003.1738036427.00000000051E0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1738258496.0000000005400000.00000004.00000001.00020000.00000000.sdmp
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\OpenWith.exe Code function: 4x nop then dec esp 12_3_00007DF42F52E261
Source: C:\Windows\System32\OpenWith.exe Code function: 4x nop then dec esp 12_2_000001C4B1600511
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 4x nop then dec esp 16_2_0000019168205641

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 135.181.4.162:2423 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 135.181.4.162:2423 -> 192.168.2.4:49734
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 135.181.4.162:2423 -> 192.168.2.4:49738
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 135.181.4.162:443 -> 192.168.2.4:49742
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 135.181.4.162:443 -> 192.168.2.4:49739
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 135.181.4.162:443 -> 192.168.2.4:49741
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 135.181.4.162:443 -> 192.168.2.4:49779
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 135.181.4.162:443 -> 192.168.2.4:49740
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 135.181.4.162:443 -> 192.168.2.4:49856
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 135.181.4.162:443 -> 192.168.2.4:49930
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 135.181.4.162:443 -> 192.168.2.4:49973
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 135.181.4.162:443 -> 192.168.2.4:49887
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 135.181.4.162:443 -> 192.168.2.4:49820
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 135.181.4.162:443 -> 192.168.2.4:50015
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 135.181.4.162:443 -> 192.168.2.4:50018
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 135.181.4.162:443 -> 192.168.2.4:50017
Source: Network traffic Suricata IDS: 2854802 - Severity 1 - ETPRO MALWARE Suspected Rhadamanthys Related SSL Cert : 135.181.4.162:443 -> 192.168.2.4:50016
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://135.181.4.162:2423/97e9fc994198e76/ok9djscw.jxh0g
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 135.181.4.162:2423
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: caec7ddf6889590d999d7ca1b76373b6
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 135.181.4.162:2423 -> 192.168.2.4:49734
Source: Network traffic Suricata IDS: 2854824 - Severity 2 - ETPRO JA3 HASH Suspected Malware Related Response : 135.181.4.162:2423 -> 192.168.2.4:49738
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: unknown TCP traffic detected without corresponding DNS query: 135.181.4.162
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F554D8C WSARecv, 12_3_00007DF42F554D8C
Source: OpenWith.exe, OpenWith.exe, 0000000C.00000003.1876882190.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1905961871.000001C4B36E2000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1868874518.000001C4B36C8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1873132909.000001C4B36E8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2033626763.000001C4B36E1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2088748736.000001C4B38C2000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1869733313.000001C4B36C6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000002.2089949265.000001C4B1600000.00000040.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1873507016.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1872783770.000001C4B3663000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000002.2090989362.000001C4B38C3000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1870266082.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1869472379.000001C4B36C8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871264910.000001C4B36E8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1875754085.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1910899682.000001C4B36E2000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2088305060.000001C4B36E2000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2033352520.000001C4B36D1000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1869999188.000001C4B36E8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1848670499.000001C4B36C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://135.181.4.162:2423/97e9fc994198e76/ok9djscw.jxh0g
Source: OpenWith.exe, 00000006.00000002.1800181660.0000000002BAC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://135.181.4.162:2423/97e9fc994198e76/ok9djscw.jxh0g(
Source: OpenWith.exe, 00000006.00000002.1801414267.000000000562A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000002.2089949265.000001C4B1600000.00000040.00000001.00020000.00000000.sdmp String found in binary or memory: https://135.181.4.162:2423/97e9fc994198e76/ok9djscw.jxh0gkernelbasentdllkernel32GetProcessMitigation
Source: RegAsm.exe, 00000005.00000002.1739152797.000000000123C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://135.h
Source: OpenWith.exe, 0000000C.00000003.1876882190.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1907147043.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1873507016.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1872783770.000001C4B3663000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1870266082.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000002.2090682912.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1905961871.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1875754085.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2033352520.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1898999005.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1873292564.000001C4B366A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871887979.000001C4B366A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1875022702.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871033957.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1878512690.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1873976059.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1869733313.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1910899682.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1905222382.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871650965.000001C4B3668000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2006206125.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: OpenWith.exe, 0000000C.00000003.1876882190.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1907147043.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1873507016.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1872783770.000001C4B3663000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1870266082.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000002.2090682912.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1905961871.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1875754085.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2033352520.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1898999005.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1873292564.000001C4B366A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871887979.000001C4B366A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1875022702.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871033957.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1878512690.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1873976059.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1869733313.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1910899682.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1905222382.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871650965.000001C4B3668000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2006206125.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OpenWith.exe, 0000000C.00000003.1876882190.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1907147043.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1873507016.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1872783770.000001C4B3663000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1870266082.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000002.2090682912.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1905961871.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1875754085.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2033352520.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1898999005.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1873292564.000001C4B366A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871887979.000001C4B366A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1875022702.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871033957.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1878512690.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1873976059.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1869733313.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1910899682.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1905222382.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871650965.000001C4B3668000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2006206125.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OpenWith.exe, 0000000C.00000003.1876882190.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1907147043.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1873507016.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1872783770.000001C4B3663000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1870266082.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000002.2090682912.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1905961871.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1875754085.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2033352520.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1898999005.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1873292564.000001C4B366A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871887979.000001C4B366A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1875022702.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871033957.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1878512690.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1873976059.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1869733313.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1910899682.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1905222382.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871650965.000001C4B3668000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2006206125.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: OpenWith.exe, 0000000C.00000003.1878159928.000001C4B3BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discord.com
Source: OpenWith.exe, 0000000C.00000003.1878159928.000001C4B3BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discordapp.com
Source: OpenWith.exe, 0000000C.00000003.1870266082.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1869733313.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: OpenWith.exe, 0000000C.00000003.1870266082.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1869733313.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: OpenWith.exe, 0000000C.00000003.1870266082.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1869733313.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: OpenWith.exe, 0000000C.00000003.2033593746.000001C4B36F8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1905961871.000001C4B36E2000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2006573754.000001C4B36F8000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1879533287.000001C4B36F6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2088305060.000001C4B36F9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2033352520.000001C4B36EE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000002.2090897935.000001C4B36F9000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1906879801.000001C4B36F6000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2006206125.000001C4B36EE000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1878512690.000001C4B36F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mic
Source: OpenWith.exe, 0000000C.00000003.1878512690.000001C4B36F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mic)
Source: OpenWith.exe, 0000000C.00000003.1872339760.000001C4B3641000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871542217.000001C4B398A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1872074569.000001C4B3BA0000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1899631638.000001C4B3BAA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1876331692.000001C4B362B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: OpenWith.exe, 0000000C.00000003.1872074569.000001C4B3B7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: OpenWith.exe, 0000000C.00000003.1872339760.000001C4B3641000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871542217.000001C4B398A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1872074569.000001C4B3BA0000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871650965.000001C4B3668000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1899631638.000001C4B3BAA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1876331692.000001C4B362B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: OpenWith.exe, 0000000C.00000003.1872074569.000001C4B3B7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: OpenWith.exe, 0000000C.00000003.1871650965.000001C4B3668000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17t.mc_id=EnterPK201694ba2e0b-6
Source: OpenWith.exe, 0000000C.00000003.1876882190.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1907147043.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1873507016.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1872783770.000001C4B3663000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1870266082.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000002.2090682912.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1905961871.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1875754085.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2033352520.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1898999005.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1873292564.000001C4B366A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871887979.000001C4B366A000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1875022702.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871033957.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1878512690.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1873976059.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1869733313.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1910899682.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1905222382.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871650965.000001C4B3668000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2006206125.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: OpenWith.exe, 0000000C.00000003.1870266082.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871033957.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1869733313.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1870663279.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49856 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49930 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:49973 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:50015 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:50016 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:50017 version: TLS 1.2
Source: unknown HTTPS traffic detected: 135.181.4.162:443 -> 192.168.2.4:50018 version: TLS 1.2
Creates a DirectInput object (often for capturing keystrokes)
Source: OpenWith.exe, 00000006.00000003.1738036427.00000000051E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DirectInput8Create memstr_49ad3b77-4
Installs a raw input device (often for capturing keystrokes)
Source: OpenWith.exe, 00000006.00000003.1738036427.00000000051E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_32a9c546-9
Yara detected Keylogger Generic
Source: Yara match File source: 6.3.OpenWith.exe.5400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.OpenWith.exe.51e0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.1738036427.00000000051E0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1738258496.0000000005400000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: OpenWith.exe PID: 2656, type: MEMORYSTR

System Summary
barindex
.NET source code contains very large array initializations
Source: TctqdRX5Wq.exe, MoveAngles.cs Large array initialization: MoveAngles: array initializer size 433152
Contains functionality to call native functions
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_000001C4B30030C7 NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,RtlFreeHeap,RtlFreeHeap, 12_3_000001C4B30030C7
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52AF60 NtAcceptConnectPort, 12_3_00007DF42F52AF60
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52AF40 NtAcceptConnectPort, 12_3_00007DF42F52AF40
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52ADD4 NtAcceptConnectPort, 12_3_00007DF42F52ADD4
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52AE5C NtAcceptConnectPort, 12_3_00007DF42F52AE5C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52BE6C calloc,NtAcceptConnectPort, 12_3_00007DF42F52BE6C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52ACE8 NtAcceptConnectPort, 12_3_00007DF42F52ACE8
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52BCC0 NtAcceptConnectPort,NtAcceptConnectPort,free, 12_3_00007DF42F52BCC0
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52ACC8 NtAcceptConnectPort, 12_3_00007DF42F52ACC8
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52AD14 NtAcceptConnectPort, 12_3_00007DF42F52AD14
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52AC0C NtAcceptConnectPort, 12_3_00007DF42F52AC0C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52C7CC NtAcceptConnectPort, 12_3_00007DF42F52C7CC
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52C70C NtAcceptConnectPort, 12_3_00007DF42F52C70C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52B498 NtAcceptConnectPort,calloc,DuplicateHandle,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort,NtAcceptConnectPort, 12_3_00007DF42F52B498
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52C47C NtAcceptConnectPort, 12_3_00007DF42F52C47C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52D3C0 NtAcceptConnectPort,NtAcceptConnectPort, 12_3_00007DF42F52D3C0
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52D2F4 NtAcceptConnectPort,NtAcceptConnectPort, 12_3_00007DF42F52D2F4
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52C10C NtAcceptConnectPort, 12_3_00007DF42F52C10C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_2_000001C4B1601A90 NtAcceptConnectPort,NtAcceptConnectPort, 12_2_000001C4B1601A90
Source: C:\Windows\System32\OpenWith.exe Code function: 12_2_000001C4B1600AC8 NtAcceptConnectPort,NtAcceptConnectPort, 12_2_000001C4B1600AC8
Source: C:\Windows\System32\OpenWith.exe Code function: 12_2_000001C4B1601CD0 NtAcceptConnectPort,CloseHandle, 12_2_000001C4B1601CD0
Source: C:\Windows\System32\OpenWith.exe Code function: 12_2_000001C4B16015AC NtAcceptConnectPort, 12_2_000001C4B16015AC
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_3_00007DF449D01CE8 CreateProcessW,NtResumeThread,CloseHandle,free, 16_3_00007DF449D01CE8
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_3_00007DF449D01958 calloc,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory, 16_3_00007DF449D01958
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00000191682127B8 NtAcceptConnectPort, 16_2_00000191682127B8
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_000001916821288C NtAcceptConnectPort, 16_2_000001916821288C
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00000191682128E8 NtAcceptConnectPort, 16_2_00000191682128E8
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00000191682128B8 NtAcceptConnectPort, 16_2_00000191682128B8
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168212990 NtAcceptConnectPort, 16_2_0000019168212990
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00000191682129D4 NtAcceptConnectPort, 16_2_00000191682129D4
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168212418 NtAcceptConnectPort, 16_2_0000019168212418
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168212C64 NtAcceptConnectPort, 16_2_0000019168212C64
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_000001916821252C NtAcceptConnectPort, 16_2_000001916821252C
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782B385C NtQuerySystemInformation, 17_2_00000242782B385C
Creates files inside the system directory
Source: C:\Windows\System32\SIHClient.exe File created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP3B3A.tmp Jump to behavior
Source: C:\Windows\System32\SIHClient.exe File created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMPCDA8.tmp Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_000001C4B30024F7 12_3_000001C4B30024F7
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_000001C4B3005E7C 12_3_000001C4B3005E7C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_000001C4B300557C 12_3_000001C4B300557C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_000001C4B30058FC 12_3_000001C4B30058FC
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_000001C4B300279C 12_3_000001C4B300279C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_000001C4B3001BA6 12_3_000001C4B3001BA6
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_000001C4B3004A38 12_3_000001C4B3004A38
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_000001C4B3002C3C 12_3_000001C4B3002C3C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F502634 12_3_00007DF42F502634
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5E9F68 12_3_00007DF42F5E9F68
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F539F4C 12_3_00007DF42F539F4C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F530F04 12_3_00007DF42F530F04
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F54FDE0 12_3_00007DF42F54FDE0
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5F6DAC 12_3_00007DF42F5F6DAC
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5E3D84 12_3_00007DF42F5E3D84
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F511E54 12_3_00007DF42F511E54
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5EAE00 12_3_00007DF42F5EAE00
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5DEBE4 12_3_00007DF42F5DEBE4
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5A6C60 12_3_00007DF42F5A6C60
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F56DC54 12_3_00007DF42F56DC54
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F513C6C 12_3_00007DF42F513C6C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F505C24 12_3_00007DF42F505C24
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F515C08 12_3_00007DF42F515C08
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F579AE0 12_3_00007DF42F579AE0
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F54FA94 12_3_00007DF42F54FA94
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F559B70 12_3_00007DF42F559B70
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F569B38 12_3_00007DF42F569B38
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F51FB24 12_3_00007DF42F51FB24
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5EFB04 12_3_00007DF42F5EFB04
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5FCB04 12_3_00007DF42F5FCB04
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F51D9F0 12_3_00007DF42F51D9F0
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5E69A8 12_3_00007DF42F5E69A8
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F55CA38 12_3_00007DF42F55CA38
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5EA8BC 12_3_00007DF42F5EA8BC
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F51F95C 12_3_00007DF42F51F95C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F52996C 12_3_00007DF42F52996C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F55B7B8 12_3_00007DF42F55B7B8
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5696E0 12_3_00007DF42F5696E0
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5575E4 12_3_00007DF42F5575E4
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5695D0 12_3_00007DF42F5695D0
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F55D594 12_3_00007DF42F55D594
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F50F624 12_3_00007DF42F50F624
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5EA4A0 12_3_00007DF42F5EA4A0
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5E8474 12_3_00007DF42F5E8474
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F552524 12_3_00007DF42F552524
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5DA3D4 12_3_00007DF42F5DA3D4
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F54F3B8 12_3_00007DF42F54F3B8
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F55A430 12_3_00007DF42F55A430
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5693F4 12_3_00007DF42F5693F4
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5443F8 12_3_00007DF42F5443F8
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5F72C8 12_3_00007DF42F5F72C8
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5EB318 12_3_00007DF42F5EB318
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F59E24C 12_3_00007DF42F59E24C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5720BC 12_3_00007DF42F5720BC
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5CA168 12_3_00007DF42F5CA168
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F55B104 12_3_00007DF42F55B104
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F57CFB4 12_3_00007DF42F57CFB4
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5FBFCC 12_3_00007DF42F5FBFCC
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F5EAF80 12_3_00007DF42F5EAF80
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F501058 12_3_00007DF42F501058
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F54F02C 12_3_00007DF42F54F02C
Source: C:\Windows\System32\OpenWith.exe Code function: 12_2_000001C4B1600C5C 12_2_000001C4B1600C5C
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_3_0000019168401F40 16_3_0000019168401F40
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_3_0000019168403660 16_3_0000019168403660
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_3_000001916840027B 16_3_000001916840027B
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_3_000001916840170E 16_3_000001916840170E
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_3_0000019168402718 16_3_0000019168402718
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_3_00007DF449D02204 16_3_00007DF449D02204
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_3_00007DF449D04EFC 16_3_00007DF449D04EFC
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_3_00007DF449D0392C 16_3_00007DF449D0392C
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_000001916820C25C 16_2_000001916820C25C
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168212D24 16_2_0000019168212D24
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168202628 16_2_0000019168202628
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_000001916823A81C 16_2_000001916823A81C
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_000001916821D010 16_2_000001916821D010
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_000001916822D854 16_2_000001916822D854
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168227094 16_2_0000019168227094
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168240874 16_2_0000019168240874
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00000191682348D0 16_2_00000191682348D0
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168235918 16_2_0000019168235918
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_000001916823F940 16_2_000001916823F940
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168220174 16_2_0000019168220174
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_000001916823E984 16_2_000001916823E984
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_000001916823F1D0 16_2_000001916823F1D0
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168240270 16_2_0000019168240270
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168217270 16_2_0000019168217270
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168233A38 16_2_0000019168233A38
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168243A4D 16_2_0000019168243A4D
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168234A50 16_2_0000019168234A50
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168215ADC 16_2_0000019168215ADC
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_000001916821E398 16_2_000001916821E398
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_000001916823CC00 16_2_000001916823CC00
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168246434 16_2_0000019168246434
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168230478 16_2_0000019168230478
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_000001916821DCE4 16_2_000001916821DCE4
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_000001916823ECE4 16_2_000001916823ECE4
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00000191682014D0 16_2_00000191682014D0
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168226D18 16_2_0000019168226D18
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00000191682355B0 16_2_00000191682355B0
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168240D90 16_2_0000019168240D90
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00000191682395D4 16_2_00000191682395D4
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168234DE8 16_2_0000019168234DE8
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_000001916821F618 16_2_000001916821F618
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168223EA4 16_2_0000019168223EA4
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168227684 16_2_0000019168227684
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00000191682286B4 16_2_00000191682286B4
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_000001916821BEB8 16_2_000001916821BEB8
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168235EC8 16_2_0000019168235EC8
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168216F24 16_2_0000019168216F24
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_0000019168233F70 16_2_0000019168233F70
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_000001916821C750 16_2_000001916821C750
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D27554 16_2_00007DF449D27554
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D23D3B 16_2_00007DF449D23D3B
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D1F149 16_2_00007DF449D1F149
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D1BD49 16_2_00007DF449D1BD49
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D26927 16_2_00007DF449D26927
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D258F8 16_2_00007DF449D258F8
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D250D6 16_2_00007DF449D250D6
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D154C0 16_2_00007DF449D154C0
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D260A5 16_2_00007DF449D260A5
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D25456 16_2_00007DF449D25456
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D18C19 16_2_00007DF449D18C19
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D1DFEB 16_2_00007DF449D1DFEB
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D183BA 16_2_00007DF449D183BA
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D14F8A 16_2_00007DF449D14F8A
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D26B5B 16_2_00007DF449D26B5B
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D20F5A 16_2_00007DF449D20F5A
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D26F4A 16_2_00007DF449D26F4A
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D22F24 16_2_00007DF449D22F24
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D25AB2 16_2_00007DF449D25AB2
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D27A58 16_2_00007DF449D27A58
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D25227 16_2_00007DF449D25227
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D271FE 16_2_00007DF449D271FE
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D1C5C4 16_2_00007DF449D1C5C4
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D221C7 16_2_00007DF449D221C7
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_00007DF449D1A5A5 16_2_00007DF449D1A5A5
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782D3210 17_2_00000242782D3210
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782D2254 17_2_00000242782D2254
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782D2AA0 17_2_00000242782D2AA0
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782C92D4 17_2_00000242782C92D4
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782D3B40 17_2_00000242782D3B40
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782B737C 17_2_00000242782B737C
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782C53C8 17_2_00000242782C53C8
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782BBC68 17_2_00000242782BBC68
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782DC500 17_2_00000242782DC500
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782CA4F8 17_2_00000242782CA4F8
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782C9D30 17_2_00000242782C9D30
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782B6D37 17_2_00000242782B6D37
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782CE51C 17_2_00000242782CE51C
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782D25B4 17_2_00000242782D25B4
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782B8DF4 17_2_00000242782B8DF4
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782BC5D4 17_2_00000242782BC5D4
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782CAE10 17_2_00000242782CAE10
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782E1E08 17_2_00000242782E1E08
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782BD604 17_2_00000242782BD604
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782DC668 17_2_00000242782DC668
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782D4660 17_2_00000242782D4660
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782C8EB8 17_2_00000242782C8EB8
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782CF76C 17_2_00000242782CF76C
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782C27A4 17_2_00000242782C27A4
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782BBFE4 17_2_00000242782BBFE4
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782C9818 17_2_00000242782C9818
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782CA860 17_2_00000242782CA860
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782C8980 17_2_00000242782C8980
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782D4144 17_2_00000242782D4144
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782C9998 17_2_00000242782C9998
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 688
Sample file is different than original file name gathered from version info
Source: TctqdRX5Wq.exe, 00000000.00000002.1716675170.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs TctqdRX5Wq.exe
Source: TctqdRX5Wq.exe, 00000000.00000002.1723676965.0000000003795000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename4 vs TctqdRX5Wq.exe
Uses 32bit PE files
Source: TctqdRX5Wq.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: TctqdRX5Wq.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 12.2.OpenWith.exe.1c4b38bd970.1.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 12.3.OpenWith.exe.1c4b38bd970.4.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: 12.3.OpenWith.exe.1c4b38bd970.5.raw.unpack, CallWrapper.cs Suspicious method names: .CallWrapper.GetPayload
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@21/9@0/1
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F502634 CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,SuspendThread, 12_3_00007DF42F502634
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TctqdRX5Wq.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3744:120:WilError_03
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Mutant created: NULL
Source: C:\Windows\System32\SIHClient.exe Mutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Windows\SysWOW64\OpenWith.exe Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\53078613-99f7-4f67-aced-a6a5416f41e6 Jump to behavior
Source: TctqdRX5Wq.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TctqdRX5Wq.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\SysWOW64\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files\Windows Media Player\setup_wm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files\Windows Media Player\setup_wm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\SIHClient.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\SIHClient.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\SIHClient.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\SIHClient.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: OpenWith.exe, 0000000C.00000003.2089693717.00007DF42F602000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2089235322.000001C4B3A71000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2088143901.000001C4B3725000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1837587060.000001C4B30DA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1847168318.000001C4B3924000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1846690752.000001C4B3871000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1845688184.000001C4B30D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: OpenWith.exe, 0000000C.00000003.2089693717.00007DF42F602000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2089235322.000001C4B3A71000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2088143901.000001C4B3725000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1837587060.000001C4B30DA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1847168318.000001C4B3924000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1846690752.000001C4B3871000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1845688184.000001C4B30D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: OpenWith.exe, 0000000C.00000003.2089693717.00007DF42F602000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2089235322.000001C4B3A71000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2088143901.000001C4B3725000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1837587060.000001C4B30DA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1847168318.000001C4B3924000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1846690752.000001C4B3871000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1845688184.000001C4B30D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: OpenWith.exe, 0000000C.00000003.2089693717.00007DF42F602000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2089235322.000001C4B3A71000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2088143901.000001C4B3725000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1837587060.000001C4B30DA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1847168318.000001C4B3924000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1846690752.000001C4B3871000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1845688184.000001C4B30D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: OpenWith.exe, 0000000C.00000003.2089693717.00007DF42F602000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2089235322.000001C4B3A71000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2088143901.000001C4B3725000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1837587060.000001C4B30DA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1847168318.000001C4B3924000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1846690752.000001C4B3871000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1845688184.000001C4B30D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: OpenWith.exe, 0000000C.00000003.2089693717.00007DF42F602000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2089235322.000001C4B3A71000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2088143901.000001C4B3725000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1837587060.000001C4B30DA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1847168318.000001C4B3924000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1846690752.000001C4B3871000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1845688184.000001C4B30D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: OpenWith.exe, 0000000C.00000003.1870594160.000001C4B3BE5000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1871378644.000001C4B3B7F000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1870818386.000001C4B3BE5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: OpenWith.exe, 0000000C.00000003.2089693717.00007DF42F602000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2089235322.000001C4B3A71000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.2088143901.000001C4B3725000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1837587060.000001C4B30DA000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1847168318.000001C4B3924000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1846690752.000001C4B3871000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000003.1845688184.000001C4B30D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: TctqdRX5Wq.exe ReversingLabs: Detection: 76%
Source: TctqdRX5Wq.exe Virustotal: Detection: 72%
Source: unknown Process created: C:\Users\user\Desktop\TctqdRX5Wq.exe "C:\Users\user\Desktop\TctqdRX5Wq.exe"
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 684
Source: C:\Windows\SysWOW64\OpenWith.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe"
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv gXqch/IrSkuvKvqIAnHVew.0.2
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\setup_wm.exe "C:\Program Files\Windows Media Player\setup_wm.exe"
Source: C:\Windows\SysWOW64\OpenWith.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe"
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\setup_wm.exe "C:\Program Files\Windows Media Player\setup_wm.exe" Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe" Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: atl.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: mfplat.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: rtworkq.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\7.0\Outlook\Profiles\Outlook Jump to behavior
Source: TctqdRX5Wq.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: TctqdRX5Wq.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: TctqdRX5Wq.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdby^ source: OpenWith.exe, 0000000C.00000002.2090027335.000001C4B1658000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdb source: OpenWith.exe, 00000006.00000003.1737864385.0000000005300000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1737759699.00000000051E0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: OpenWith.exe, 0000000C.00000002.2090027335.000001C4B1658000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: OpenWith.exe, 0000000C.00000002.2090027335.000001C4B1658000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb2j source: OpenWith.exe, 0000000C.00000002.2090027335.000001C4B1658000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdb source: OpenWith.exe, 00000006.00000003.1738036427.00000000051E0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1738258496.0000000005400000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdb source: OpenWith.exe, 00000006.00000003.1736083769.00000000051E0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1736374528.00000000053D0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: OpenWith.exe, 00000006.00000003.1737123646.00000000051E0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1737430559.0000000005380000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: ntdll.pdbUGP source: OpenWith.exe, 00000006.00000003.1736083769.00000000051E0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1736374528.00000000053D0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: OpenWith.exe, 00000006.00000003.1737123646.00000000051E0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1737430559.0000000005380000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernel32.pdbUGP source: OpenWith.exe, 00000006.00000003.1737864385.0000000005300000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1737759699.00000000051E0000.00000004.00000001.00020000.00000000.sdmp
Source: Binary string: wkernelbase.pdbUGP source: OpenWith.exe, 00000006.00000003.1738036427.00000000051E0000.00000004.00000001.00020000.00000000.sdmp, OpenWith.exe, 00000006.00000003.1738258496.0000000005400000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 12.3.OpenWith.exe.1c4b38bd970.5.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 12.3.OpenWith.exe.1c4b38bd970.5.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 12.2.OpenWith.exe.1c4b38bd970.1.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 12.2.OpenWith.exe.1c4b38bd970.1.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 12.3.OpenWith.exe.1c4b38bd970.4.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 12.3.OpenWith.exe.1c4b38bd970.4.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 12.2.OpenWith.exe.1c4b38b9d60.2.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 12.2.OpenWith.exe.1c4b38b9d60.2.raw.unpack, Runtime.cs .Net Code: CoreMain
Source: 12.3.OpenWith.exe.1c4b38b9d60.6.raw.unpack, Runtime.cs .Net Code: CoreMain System.Reflection.Assembly.Load(byte[])
Source: 12.3.OpenWith.exe.1c4b38b9d60.6.raw.unpack, Runtime.cs .Net Code: CoreMain
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 6_3_02BB3EE9 push ebx; iretd 6_3_02BB3EEA
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 6_3_02BB2CE2 push es; retf 6_3_02BB2D11
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 6_3_02BB2822 push ebp; iretd 6_3_02BB2823
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 6_3_02BB4262 push eax; retf 6_3_02BB4271
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 6_3_02BB21B0 pushad ; ret 6_3_02BB21B8
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 6_3_02BB21F0 push ecx; iretd 6_3_02BB21FC
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 6_3_02BB47F7 push esi; ret 6_3_02BB4802
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 6_3_02BB0FD0 push eax; retf 6_3_02BB0FD1
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 6_3_02BB2D15 push es; retf 6_3_02BB2D11
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 6_3_02BB4B00 push edx; ret 6_3_02BB4B01
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_3_00000191683F1B00 push rax; iretd 16_3_00000191683F1B01
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782B0BB9 pushad ; retf 17_2_00000242782B0BD6
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782B061D push es; iretd 17_2_00000242782B062A
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782B067C push 22A947ABh; retf 17_2_00000242782B0688
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782B089C push es; ret 17_2_00000242782B089F
Source: C:\Windows\System32\dllhost.exe Code function: 17_2_00000242782B0159 push FFFFFF8Dh; ret 17_2_00000242782B015F
Source: TctqdRX5Wq.exe Static PE information: section name: .text entropy: 7.996682056923866
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API/Special instruction interceptor: Address: 7FFE2220D044
Source: C:\Windows\SysWOW64\OpenWith.exe API/Special instruction interceptor: Address: 7FFE2220D044
Source: C:\Windows\SysWOW64\OpenWith.exe API/Special instruction interceptor: Address: 54DA83A
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Memory allocated: D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Memory allocated: 2790000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Memory allocated: 4790000 memory reserve | memory write watch Jump to behavior
Contains functionality to detect virtual machines (SLDT)
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_3_00000191683F73F0 sldt word ptr [rax] 16_3_00000191683F73F0
Contains functionality to query network adapater information
Source: C:\Windows\System32\dllhost.exe Code function: GetAdaptersInfo, 17_2_00000242782B2AC4
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe TID: 6036 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\SIHClient.exe TID: 6500 Thread sleep time: -60000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\SysWOW64\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\OpenWith.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files\Windows Media Player\setup_wm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Program Files\Windows Media Player\setup_wm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F589F04 GetSystemInfo, 12_3_00007DF42F589F04
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\Default\AppData\Local\Microsoft Jump to behavior
Source: OpenWith.exe, 00000006.00000002.1800884339.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: qEMUjGZ
Source: OpenWith.exe, 0000000C.00000003.1870663279.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkmbolicLinkSymbolicLink
Source: OpenWith.exe, 0000000C.00000003.1870663279.000001C4B366D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkLinkcLinkSymbolicLink
Source: OpenWith.exe, 00000006.00000002.1800473996.0000000003028000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWs
Source: OpenWith.exe, 00000006.00000003.1738258496.0000000005400000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: DisableGuestVmNetworkConnectivity
Source: OpenWith.exe, 00000006.00000002.1800884339.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: :PVmCi~
Source: OpenWith.exe, 0000000C.00000003.1849761118.000001C4B36F3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMCIDevSymbol
Source: OpenWith.exe, 00000006.00000002.1800473996.0000000003028000.00000004.00000020.00020000.00000000.sdmp, OpenWith.exe, 0000000C.00000002.2090027335.000001C4B1658000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: OpenWith.exe, 0000000C.00000003.1848670499.000001C4B36C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SymbolicLinkymbolicLinkcLinkSymbolicLink
Source: OpenWith.exe, 00000006.00000003.1738258496.0000000005400000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: EnableGuestVmNetworkConnectivity
Source: OpenWith.exe, 0000000C.00000002.2090027335.000001C4B1658000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWa
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\OpenWith.exe Code function: 6_3_02BB0283 mov eax, dword ptr fs:[00000030h] 6_3_02BB0283
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Memory allocated: C:\Windows\System32\dllhost.exe base: 242782B0000 protect: page read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Code function: 0_2_02792145 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_02792145
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 462000 Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 472000 Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000 Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47B000 Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47D000 Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11C9008 Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Memory written: C:\Windows\System32\dllhost.exe base: 242782B0000 Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Memory written: C:\Windows\System32\dllhost.exe base: 7FF70F3314E0 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Process created: C:\Windows\System32\OpenWith.exe "C:\Windows\system32\openwith.exe" Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Process created: C:\Program Files\Windows Media Player\setup_wm.exe "C:\Program Files\Windows Media Player\setup_wm.exe" Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Process created: C:\Windows\System32\dllhost.exe "C:\Windows\system32\dllhost.exe" Jump to behavior
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\System32\OpenWith.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\TctqdRX5Wq.exe Queries volume information: C:\Users\user\Desktop\TctqdRX5Wq.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\Windows Media Player\setup_wm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\dllhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F521B18 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 12_3_00007DF42F521B18
Source: C:\Windows\SysWOW64\OpenWith.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 0.2.TctqdRX5Wq.exe.3795570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TctqdRX5Wq.exe.3795570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000003.2089235322.000001C4B3A71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1723676965.0000000003795000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1735196079.0000000003010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1847168318.000001C4B3924000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1764339472.0000000004979000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1846690752.000001C4B3871000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1739918743.0000000004100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1800884339.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Found many strings related to Crypto-Wallets (likely being stolen)
Source: OpenWith.exe, 0000000C.00000003.1879887528.000001C4B36EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %\ElectrumSV
Source: OpenWith.exe, 0000000C.00000003.1876882190.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\ElectronCash\config
Source: OpenWith.exe, 0000000C.00000003.1905734640.000001C4B36F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\com.liberty.jaxx
Source: OpenWith.exe, 0000000C.00000003.1876882190.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: OpenWith.exe, 0000000C.00000003.2033593746.000001C4B36F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus
Source: OpenWith.exe, 0000000C.00000003.1876882190.000001C4B366C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %AppData%\Coinomi\Coinomi\wallets
Source: OpenWith.exe, 0000000C.00000002.2090027335.000001C4B1658000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Lives
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Bitcoin\Bitcoin-Qt Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration\Security Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs\browser\newtab Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\z6bny8rn.default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\safebrowsing Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\doomed Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs\browser Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\startupCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\thumbnails Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\safebrowsing\google4 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\trash16598 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2\entries Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cache2 Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\fqs92o4p.default-release\settings\main\ms-language-packs Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB Jump to behavior
Source: C:\Windows\System32\OpenWith.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\System32\OpenWith.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior
Searches for user specific document files
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\DVWHKMNFNN Jump to behavior
Source: C:\Windows\System32\OpenWith.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: OpenWith.exe PID: 2872, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 0.2.TctqdRX5Wq.exe.3795570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.TctqdRX5Wq.exe.3795570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000003.2089235322.000001C4B3A71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1723676965.0000000003795000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1735196079.0000000003010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1847168318.000001C4B3924000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.1764339472.0000000004979000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.1846690752.000001C4B3871000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1739918743.0000000004100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1800884339.0000000004AA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F521B18 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 12_3_00007DF42F521B18
Source: C:\Windows\System32\OpenWith.exe Code function: 12_3_00007DF42F554088 socket,bind, 12_3_00007DF42F554088
Source: C:\Program Files\Windows Media Player\setup_wm.exe Code function: 16_2_000001916820CDF4 CreateNamedPipeW,BindIoCompletionCallback,ConnectNamedPipe, 16_2_000001916820CDF4
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1526561 Sample: TctqdRX5Wq.exe Startdate: 06/10/2024 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for domain / URL 2->42 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 6 other signatures 2->48 9 TctqdRX5Wq.exe 2 2->9         started        process3 file4 38 C:\Users\user\AppData\...\TctqdRX5Wq.exe.log, CSV 9->38 dropped 56 Contains functionality to inject code into remote processes 9->56 58 Writes to foreign memory regions 9->58 60 Allocates memory in foreign processes 9->60 62 Injects a PE file into a foreign processes 9->62 13 RegAsm.exe 1 9->13         started        15 RegAsm.exe 9->15         started        18 SIHClient.exe 6 9->18         started        20 3 other processes 9->20 signatures5 process6 signatures7 22 OpenWith.exe 13->22         started        26 WerFault.exe 2 13->26         started        28 WerFault.exe 2 13->28         started        72 Switches to a custom stack to bypass stack traces 15->72 process8 dnsIp9 40 135.181.4.162, 2423, 443, 49730 HETZNER-ASDE Germany 22->40 54 Switches to a custom stack to bypass stack traces 22->54 30 OpenWith.exe 22->30         started        33 dllhost.exe 22->33         started        signatures10 process11 signatures12 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->64 66 Tries to steal Mail credentials (via file / registry access) 30->66 68 Found many strings related to Crypto-Wallets (likely being stolen) 30->68 70 2 other signatures 30->70 35 setup_wm.exe 30->35         started        process13 signatures14 50 Writes to foreign memory regions 35->50 52 Allocates memory in foreign processes 35->52
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
135.181.4.162
 unknown Germany
24940 HETZNER-ASDE true

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://135.181.4.162:2423/97e9fc994198e76/ok9djscw.jxh0g true unknown