Windows Analysis Report
utkin.exe

ID:	1581171
Product:	CloudBasic
Start time:	06:51:06
Start date:	27.12.2024
Sample:	utkin.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	119891f3f60e7bba10a6b60731a8d211
SHA1:	576db62811bd9aa8c735b90851b8f872bf223248
SHA256:	ad9b276a5d2f75e7d1c6b21f95d8a7cb70f482f2621847bca4864d90753de72f
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Name	Type	MD5	SHA1	SHA256

AV Detection

Source: 0.2.utkin.exe.1c739630000.0.raw.unpack

Malware Configuration Extractor: Meduza Stealer {"C2 url": "193.3.19.151", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt; .doc; .xlsx", "build_name": "hellres", "links": "", "port": 15666}

Source: utkin.exe	Virustotal: Detection: 62%			Perma Link
Source: utkin.exe	ReversingLabs: Detection: 68%

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Cryptography

Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A7BA0 CryptUnprotectData,LocalFree,		0_2_000001C7396A7BA0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A8440 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,Concurrency::cancel_current_task,		0_2_000001C7396A8440
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A83C0 BCryptCloseAlgorithmProvider,		0_2_000001C7396A83C0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739705660 BCryptCloseAlgorithmProvider,		0_2_000001C739705660
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739663A30 BCryptDestroyKey,		0_2_000001C739663A30
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739667C20 CryptUnprotectData,LocalFree,		0_2_000001C739667C20
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A7EC0 CryptProtectData,LocalFree,		0_2_000001C7396A7EC0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A8020 BCryptDecrypt,BCryptDecrypt,		0_2_000001C7396A8020
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739705090 CryptUnprotectData,		0_2_000001C739705090

Compliance

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: utkin.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Spreading

Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396EB500 FindClose,FindFirstFileExW,GetLastError,		0_2_000001C7396EB500
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396EB5B0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,		0_2_000001C7396EB5B0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739705100 FindFirstFileW,		0_2_000001C739705100

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396B73F0 GetLogicalDriveStringsW,

0_2_000001C7396B73F0

Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\migration\			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\replacementmanifests\			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\migration\wtr\			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\			Jump to behavior

Networking

Source: Network traffic	Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.4:49730 -> 193.3.19.151:15666
Source: Network traffic	Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.4:49730 -> 193.3.19.151:15666

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 193.3.19.151:15666

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 193.3.19.151 193.3.19.151
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: ARNES-NETAcademicandResearchNetworkofSloveniaSI ARNES-NETAcademicandResearchNetworkofSloveniaSI

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic

Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.4:49730 -> 193.3.19.151:15666

Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396B5240 InternetOpenA,InternetOpenUrlA,HttpQueryInfoW,HttpQueryInfoW,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,InternetCloseHandle,Concurrency::cancel_current_task,

0_2_000001C7396B5240

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: utkin.exe, 00000000.00000002.1945491630.000001C737C0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: utkin.exe, 00000000.00000002.1945491630.000001C737C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: utkin.exe, 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/A:
Source: utkin.exe, 00000000.00000002.1945491630.000001C737C13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/a
Source: utkin.exe, 00000000.00000002.1945491630.000001C737C0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgW
Source: utkin.exe, 00000000.00000002.1945491630.000001C737C0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org_

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:49731 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396B5B70 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

0_2_000001C7396B5B70

System Summary

Source: 0.2.utkin.exe.1c739630000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
Source: 0.2.utkin.exe.1c739630000.0.unpack, type: UNPACKEDPE	Matched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
Source: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io

Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396BA430 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,		0_2_000001C7396BA430
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739705720 NtQueryObject,		0_2_000001C739705720
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396B9D30 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,		0_2_000001C7396B9D30

Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396B5240		0_2_000001C7396B5240
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C918C		0_2_000001C7396C918C
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739660450		0_2_000001C739660450
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739696350		0_2_000001C739696350
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739675310		0_2_000001C739675310
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396F0658		0_2_000001C7396F0658
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73966E610		0_2_000001C73966E610
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396B76A0		0_2_000001C7396B76A0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396BC5CB		0_2_000001C7396BC5CB
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396EB5B0		0_2_000001C7396EB5B0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73966D570		0_2_000001C73966D570
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396B6860		0_2_000001C7396B6860
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73965F730		0_2_000001C73965F730
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73966CA10		0_2_000001C73966CA10
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739695970		0_2_000001C739695970
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73966ECB0		0_2_000001C73966ECB0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739662CA0		0_2_000001C739662CA0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739661B90		0_2_000001C739661B90
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396B5B70		0_2_000001C7396B5B70
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739664B70		0_2_000001C739664B70
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396D2E3C		0_2_000001C7396D2E3C
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73965FE20		0_2_000001C73965FE20
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396BD050		0_2_000001C7396BD050
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396B8030		0_2_000001C7396B8030
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396AF020		0_2_000001C7396AF020
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396620B0		0_2_000001C7396620B0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73969D080		0_2_000001C73969D080
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739679F80		0_2_000001C739679F80
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C1220		0_2_000001C7396C1220
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A02C0		0_2_000001C7396A02C0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C3150		0_2_000001C7396C3150
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C6164		0_2_000001C7396C6164
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396DC128		0_2_000001C7396DC128
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73968C0F0		0_2_000001C73968C0F0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396D71D8		0_2_000001C7396D71D8
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739636180		0_2_000001C739636180
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396DA44F		0_2_000001C7396DA44F
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396BA430		0_2_000001C7396BA430
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73968C420		0_2_000001C73968C420
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396AB420		0_2_000001C7396AB420
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396D14E4		0_2_000001C7396D14E4
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73968B480		0_2_000001C73968B480
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396AE2F0		0_2_000001C7396AE2F0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396583D0		0_2_000001C7396583D0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396DA3C8		0_2_000001C7396DA3C8
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C5394		0_2_000001C7396C5394
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A63A6		0_2_000001C7396A63A6
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739636610		0_2_000001C739636610
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396D46E4		0_2_000001C7396D46E4
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396D36A8		0_2_000001C7396D36A8
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396D8674		0_2_000001C7396D8674
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C666C		0_2_000001C7396C666C
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396B6540		0_2_000001C7396B6540
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739656510		0_2_000001C739656510
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739655520		0_2_000001C739655520
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C5598		0_2_000001C7396C5598
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396698CD		0_2_000001C7396698CD
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396AC8E0		0_2_000001C7396AC8E0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739692750		0_2_000001C739692750
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739684720		0_2_000001C739684720
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396CF7E6		0_2_000001C7396CF7E6
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C579C		0_2_000001C7396C579C
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73968B780		0_2_000001C73968B780
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396BA780		0_2_000001C7396BA780
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739663A30		0_2_000001C739663A30
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73968BAB0		0_2_000001C73968BAB0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A5AB0		0_2_000001C7396A5AB0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739690AC0		0_2_000001C739690AC0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396D6A68		0_2_000001C7396D6A68
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739660A80		0_2_000001C739660A80
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396CA924		0_2_000001C7396CA924
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739681AF0		0_2_000001C739681AF0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A8B00		0_2_000001C7396A8B00
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396DBB90		0_2_000001C7396DBB90
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396B0E90		0_2_000001C7396B0E90
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739667E70		0_2_000001C739667E70
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739660E80		0_2_000001C739660E80
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C8D50		0_2_000001C7396C8D50
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A4D40		0_2_000001C7396A4D40
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C0D14		0_2_000001C7396C0D14
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739687CEB		0_2_000001C739687CEB
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73968BDD0		0_2_000001C73968BDD0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73966ADD0		0_2_000001C73966ADD0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739635DB0		0_2_000001C739635DB0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396370E0		0_2_000001C7396370E0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396CF0D8		0_2_000001C7396CF0D8
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396D30B8		0_2_000001C7396D30B8
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C73966BF40		0_2_000001C73966BF40
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396A5EF0		0_2_000001C7396A5EF0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396EFFBC		0_2_000001C7396EFFBC

Source: C:\Users\user\Desktop\utkin.exe	Code function: String function: 000001C73965BA80 appears 32 times
Source: C:\Users\user\Desktop\utkin.exe	Code function: String function: 000001C73965E1D0 appears 33 times
Source: C:\Users\user\Desktop\utkin.exe	Code function: String function: 000001C739666940 appears 41 times
Source: C:\Users\user\Desktop\utkin.exe	Code function: String function: 000001C7396C8254 appears 34 times
Source: C:\Users\user\Desktop\utkin.exe	Code function: String function: 000001C7396786B0 appears 54 times

Source: 0.2.utkin.exe.1c739630000.0.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
Source: 0.2.utkin.exe.1c739630000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
Source: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396BB9B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,		0_2_000001C7396BB9B0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739705008 AdjustTokenPrivileges,CredEnumerateA,		0_2_000001C739705008

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C73966E610 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_000001C73966E610

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396A4ED0 CoCreateInstance,

0_2_000001C7396A4ED0

Source: C:\Users\user\Desktop\utkin.exe

Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E6963BBED9AD4

Source: utkin.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\utkin.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: utkin.exe	Virustotal: Detection: 62%
Source: utkin.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\utkin.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: rstrtmgr.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: vaultcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Section loaded: wintypes.dll			Jump to behavior

Source: C:\Users\user\Desktop\utkin.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\utkin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: utkin.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: utkin.exe

Static file information: File size 2749952 > 1048576

Source: utkin.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x24bc00

Source: utkin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: utkin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: utkin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: utkin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: utkin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: utkin.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: utkin.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: utkin.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: utkin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: utkin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: utkin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: utkin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: utkin.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C73966D570 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

0_2_000001C73966D570

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C73967CAB2 push rdi; retf 0004h

0_2_000001C73967CAB5

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396AC600 ExitProcess,OpenMutexA,ExitProcess,CreateMutexA,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,

0_2_000001C7396AC600

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396EB500 FindClose,FindFirstFileExW,GetLastError,		0_2_000001C7396EB500
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396EB5B0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,		0_2_000001C7396EB5B0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C739705100 FindFirstFileW,		0_2_000001C739705100

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396B73F0 GetLogicalDriveStringsW,

0_2_000001C7396B73F0

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396C9038 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

0_2_000001C7396C9038

Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\migration\			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\replacementmanifests\			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\migration\wtr\			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\			Jump to behavior

Source: utkin.exe, 00000000.00000002.1945491630.000001C737C13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT
Source: utkin.exe, 00000000.00000002.1945491630.000001C737C13000.00000004.00000020.00020000.00000000.sdmp, utkin.exe, 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\utkin.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\utkin.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\utkin.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396BA430 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,

0_2_000001C7396BA430

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7397052D0 IsDebuggerPresent,

0_2_000001C7397052D0

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396ED804 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_000001C7396ED804

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C73966D570 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

0_2_000001C73966D570

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396D9EEC GetProcessHeap,

0_2_000001C7396D9EEC

Source: C:\Users\user\Desktop\utkin.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7397052E0 SetUnhandledExceptionFilter,		0_2_000001C7397052E0
Source: C:\Users\user\Desktop\utkin.exe	Code function: 0_2_000001C7396C7F68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_000001C7396C7F68

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396AB420 ShellExecuteW,

0_2_000001C7396AB420

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\utkin.exe	Code function: GetLocaleInfoEx,FormatMessageA,		0_2_000001C7396EB170
Source: C:\Users\user\Desktop\utkin.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		0_2_000001C7396D9468
Source: C:\Users\user\Desktop\utkin.exe	Code function: GetLocaleInfoW,		0_2_000001C7396D9310
Source: C:\Users\user\Desktop\utkin.exe	Code function: GetLocaleInfoW,		0_2_000001C7397053A0
Source: C:\Users\user\Desktop\utkin.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		0_2_000001C7396D964C
Source: C:\Users\user\Desktop\utkin.exe	Code function: GetLocaleInfoW,		0_2_000001C7396D9518
Source: C:\Users\user\Desktop\utkin.exe	Code function: EnumSystemLocalesW,		0_2_000001C7396CDAE0
Source: C:\Users\user\Desktop\utkin.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,		0_2_000001C7396D8C04
Source: C:\Users\user\Desktop\utkin.exe	Code function: EnumSystemLocalesW,		0_2_000001C7396D9030
Source: C:\Users\user\Desktop\utkin.exe	Code function: GetLocaleInfoW,		0_2_000001C7396CE020
Source: C:\Users\user\Desktop\utkin.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		0_2_000001C7396D90C8
Source: C:\Users\user\Desktop\utkin.exe	Code function: EnumSystemLocalesW,		0_2_000001C7396D8F60

Source: C:\Users\user\Desktop\utkin.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\utkin.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396C840C GetSystemTimeAsFileTime,

0_2_000001C7396C840C

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396B6150 GetUserNameW,

0_2_000001C7396B6150

Source: C:\Users\user\Desktop\utkin.exe

Code function: 0_2_000001C7396B76A0 GetTimeZoneInformation,

0_2_000001C7396B76A0

Stealing of Sensitive Information

Source: Yara match

File source: Process Memory Space: utkin.exe PID: 1772, type: MEMORYSTR

Source: Yara match	File source: 0.2.utkin.exe.1c739630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.utkin.exe.1c739630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: utkin.exe PID: 1772, type: MEMORYSTR

Source: utkin.exe, 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\config
Source: utkin.exe, 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash\config
Source: utkin.exe, 00000000.00000002.1945948907.000001C739925000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ny1aaXAgMjMuMDEgKHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzMl0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNDddCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K
Source: utkin.exe, 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: utkin.exe, 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore
Source: utkin.exe, 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Source: C:\Users\user\Desktop\utkin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\utkin.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior

Source: C:\Users\user\Desktop\utkin.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Source: Yara match

File source: Process Memory Space: utkin.exe PID: 1772, type: MEMORYSTR

Source: Yara match	File source: 0.2.utkin.exe.1c739630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.utkin.exe.1c739630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1945491630.000001C737BAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1945764620.000001C739630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: utkin.exe PID: 1772, type: MEMORYSTR